Compliance.

To work with various private data, you need to be accredited and that means an audit to prove you are in compliance with whatever standard you are aspiring to. CS is part of that compliance process.

Which private data would a computer need to operate a lift?

Another department in the corporation is probably accessing PII, so corporate IT installed the security software on every Windows PC. Special cases cost money to manage, so centrally managed PCs are all treated the same.

Anything that touches other systems is a risk and needs to be properly monitored and secured.

I had a lot of reservations about companies installing Crowdstrike but I'm baffled by the lack of security awareness in many comments here. So they do really seem necessary.

It must be security tags on the lift which restrict entry to authorised staff.

who's allowed to use the lift? where do those keycards authenticate to?

Because there's some level of convenience involved with network connectivity for OT.