Sounds like an ad hominem attack to me. It really doesn't matter what this company sells; it matters whether they're right.
Quite frankly, the percentage of people with too much access that they found is an average. From experience I can tell you that some companies are much closer to 100%...
As for your statement that "locking everything down is rarely a good idea", that's simply misguided. Access should be based on "default deny", not on some expectation.
Regarding your complaint about "systems are so locked down that you really struggle to do your job", you may be surprised that such an approach is not considered to be secure.
Security has three requirements: Confidentiality, Intergrity, and Availabliity. If you can't get to the stuff you truly need to get to it cannot be considered secure.
Unfortunately, and you are right in this, too many people think that full security means locking everything and throwing away the key.
Oh, how I wish companies would require everyone (including the brass!) to take basic cyber security training. Just an hour or to convey the basic principles would put an end to a lot of the issues.