Consider what active directory is in the context of your corporate identity. Chances are everything from desktop to payroll and any special access privileges are all there.
Centralisation might mean less attack surface, but it definitely means single point of failure.
I wish I could tell you about the security howlers I’ve not only seen but persist in the infrastructure world. Suffice to say every OS released since the 1980s can be found, often in equipment that you would least expect. Control system assets are usually depreciated over 20 years, yet probably out of support in 10. And you can find default passwords everywhere (how do you manage the credentials of he hundreds of different engineers that may attend the same device?) Repeatedly replacing them in bulk would also set your bills back badly.
Consider also what this means for infrastructure systems that need communications. Flow computers, instrumentation, billing etc.
There is something to be said for a mandraulic system over a connected one, at least from a security POV.
All things considered the only reason we haven’t seen a major attack (Yet) is because we haven’t pissed someone enough. See black energy in the Ukraine for examples.