Admin access is fine, you only need to block the USB ports and secure your network and domain policies heavily enough. The alternative to desktop PCs are VMs in the company's data center accessed either remotely or from local thin clients via remote desktop.

I can't imagine how unproductive people would be working under all these restrictions. You walk in to the meeting room but can't plug your laptop in to the TV because it's using a usb c cable. Can't visit the websites you need to get your job done because they might contain software you can install on them. Have to wait for IT to approve everything and just sit around being unproductive.

Just so the company can continue to have insecure internal services.

Actually most of the time with companies that still self-host I see take home laptops with VPN since work-from-home is a must. So not only does the risk still exist, the malware doesn't even have to wait for you to go back into the office.