"Security Teams can never be the team of no."
I understand your sentiment, but that is really not applicable. Or rather, it should not be applicable.
To directly address the your email as userID comment; we need to get past userID/password as a login method on its own. Time and again this has proven to be something fairly easy to compromise. MFA is the way to go. Getting a userID is typically fairly trivial because we need it to be something the user can recall. userID is not really the state secret we pretend it to be.
Security teams really should not be the team of no. It should be the team of "this is how we can do this securely" when asked to implement something. We need to focus on turning it around so that it a) meets the business need, b) is practical, c) is scaleable. There may be more that others may want to add to this list, but it is a good start.
In general, security is a supporting organization (some exceptions for if security is your line of business and etc). In security we need to remember this. And we need to remind our customers/business owners as well. We are performing these tasks in the interest of supporting your business and lowering the risks to your business. This is of course easier said then done, but it is very important to not get lost in the battles so much as to lose the objective.
At the end of the day the customer/business owner makes the decision. I won't sign off on anything I can't stand behind. However, I can't stop the customer/business owner from ignoring me at their own peril. It may, of course, be the signal to freshen up the resume/CV.