Instituting all manner of (formal?) authorizations, access logging, and cross checking the first with the second does not scale well if it has to be done by people, especially when the reviewers may not be trustworthy. It also is difficult to apply meaningfully for information to which an individual must have routine access in the ordinary course of business. If, on the other hand the authorization and checking is done by systems, it is subject to all the problems that plague system design and implementation in general, most notably that it is done by fallible, sometimes feckless, and occasionally malicious people.
To paraphrase Mencken, information assurance is one of those complex problems for which there is a answer that is clear, simple, and wrong. While we nearly always can improve on the current state, perfection is out of reach.