I'm sure there are exceptions, but most companies are going to use a certificate provisioning process tied to the device that is required for connecting to corporate resources. I agree with you that lacking this opens the door for someone to connect with an insecure device and create a whole series of compliance issues.