Is the security controls in most companies that bad?
I heard that developers can have production database access and write queries without logs.
Given that "most companies" are small, I would say yes - developers have access that would be terrifying to larger companies.