IT will not win any support
This is typical - what we see is a lot of legacy stuff trussed up in a security policy with very little time to review or modernise.
Regardless of the policy, we still cannot expect people to support or follow policy without more education, or a hard lesson in cause and effect, such as being fined under GDPR.
We still have two problems. Information usually goes into a single bucket, and the security of it becomes IT's problem to fix, monitor and enforce. IT security has become more complex, and the company's solution is to put in generic access barriers, and an access policy. We expect that to be propogated to the business to read, understand and follow.
IT is my life, but I appreciate not all people are that way; I too would rather that nurses spent their time nursing.
IT will continue to hurt until better systems exist that can classify information correctly, silo it correctly, then put the correct access requirements in place - taking away that decision from general users.
Sure, content management and correctly marked templates are viable, but I've not seen an organisation, private or public, that fully understands how to use information metadata, let alone how to silo and protect it properly.