$\begingroup$

Since the other answers go pretty well into why companies just buy general purpose computers, I wanted to give an answer about security. In a lot of ways, it's easier to secure a system you know is insecure, than to secure a system you are pretty sure is secure but don't know in what ways it might be insecure. Windows 10 may have security vulnerabilities, but Microsoft has a passable track record of fixing them soon after they become well-known, and in many instances ahead of any actual use of the vulnerability in the wild. Windows 10 is also used by a huge share of the market and has security specialists analyzing it all the time, so vulnerabilities are more likely to be caught by the "good guys" and sent to Microsoft for patching. If on the other hand your company uses an OS that only does one thing but only a few companies use, you cannot be all that sure that the one thing it does is secure. Windows makes a reasonable guarantee that if someone is running as an unprivileged user, they won't be able to make privileged changes to the system, so the security team can be reasonably sure about what a malicious program or user can and can't do, and the fact that it's maintained by a reputable company and tested by lots of people unaffiliated with that company makes it easy for a security team to palate using.

There's also a question of training. Most people use Windows at home, and Windows and Mac are similar enough that people can use them interchangeably for basic use. So, your security training can focus on the important stuff - "Use a strong password, use different passwords for different sites" (or give them a Password Manager and show them how to use that, there may not be one available on your off-brand OS), "How to spot phishing emails," etc, as well as training for your particular company's processes, and you don't need to spend any time training your employees on how to do basic actions like opening files. Plus, by using the same OS as the company they are coming from, you get the benefit that they likely already have training from their previous company on the same standard policies and advice.

This does not just apply to regular employees, but your security team and sysadmins too. The fact is, if everyone trains on the same few OS's, then there is a much bigger pool of experienced candidates who can staff your IT department. On the other hand, everyone has to take remedial training to understand your special OS if you use one, increasing cost to the company.

Finally, I wanted to touch on a basic idea of security you have that is wrong. It seems like you believe the best way to secure a system is to lock it down as tight as possible and make it difficult to use. There is a common security approach that revolves around "three pillars" - Confidentiality, Integrity and Availability. The third one is important here, the purpose of security isn't just to prevent unauthorized users from modifying or viewing data, but to keep the systems a company needs to function available for users. Sure, you could have systems that are in their own LAN with no Internet access, but what happens when someone needs to communicate with another company? You cannot open up the network since you designed it to have no Internet communication and therefore "This interface [has] a simple username/password system, with no demands to reset passwords or 'two-factor auth' or any of that nonsense". So, either your company is the only company in your sector that doesn't have email (or a website), or you have to find another solution. If you take the first option, your company won't exist in 3 months, so you'll have to go with the second option. Well, perhaps your security team won't come up with the solution, your users will. That solution will be doing everything over personal email (or we set up a company domain with our department's budget and use a cloud email service with it). It might be to contract with an external cloud service to set up a website. I've been the user that doesn't want to deal with the security team and creates this kind of "shadow IT", and I've been the guy who has to deal with the fallout of "shadow IT" that gets created in companies with insufficient Availability, so I know some of what users can do without the security team's consent. I'll leave you with a very relevant quote, AviD's Rule of Usability:

Security at the expense of usability comes at the expense of security.

Actually, one last thing. You say

Yes, there's still the nightmare of dealing with the actual "mainframe"/server (I honestly don't understand why even a massive company would require more than one in this day and age, given their immense power)

No sane company has only one data center - either they have at least two so that they have redundancy if there is a natural disaster, or they contract with a cloud provider who does that for them. If your employees at least have laptops that can do most basic functions, even if there is a problem with your network they can still work on things on their local computer, but if they have to be connected to the network than any network issue grinds your whole company to a halt.