I've done work for a company where production, handling lots of PII was kept well separate from the office system and its vulnerabilities. It was, in fact, a condition of some of their contracts. It might be inconvenient in some ways but it would have been a lot more inconvenient to admit to their clients that they'd been breached or to have production stopped for days because some toe-rag had encrypted their systems.