God yes. I work in a regulated industry, and here's the flow:

InfoSec raises vulnerabilities that show up on reports that get managers scared.

Developers have to continually update to accomodate. Even for non-prod deps. You can raise exceptions, but that's a completely separate can of worms.

Managers wonder why dev work is slowed down.