Maybe I don't understand the threat model here: what kind of public-facing services are you running that are simultaneously (1) not already access-limited, and (2) not load-bearing such that they need to be public-facing?

(And to be clear: I see the benefit here. But I'm talking principally about open source projects, not the vendors you're presumably paying.)

Some companies might be willing to compromise functionality to avoid compromise of their networks.

There's always a usability / functionality vs security tradeoff