All it takes is one vulnerable device accessing your network to put your entire organisation at risk of a data breach.
So downloading and installing patches requires planning and perhaps a dedicated staff? And worker bees shouldn't be trusted or expected to handle this aspect of their work environment? BYOD is antithetical to good security practices? Really? They might not have an IT department there, but they sure do have a Department of the Damn Obvious.
What? They might be referring to devices provided by the businesses in question? Then it's no different than any other device on the network in terms of patching and maintenance.