Through the years of consulting, I have seen almost every kind of IT setup imaginable. I've seen machines in locked closets. There are servers in racks in nicely air conditioned rooms. Some servers I have witnessed were literally in a men's restroom.
When it comes to security, many clients are locked down. They are up to date on patches. Logins and permissions are locked down. Anti-virus and anti-malware tools are the latest and greatest. Firewalls block any bad traffic from infecting the network.
What I find amazing is that many of these same organizations leave their servers out in the open for anyone to pilfer. Servers in bathrooms or supply cabinets without locks are just as open as if someone clicked on a phishing scam. A disgruntled employee, an after hours worker, or even a walk-in thief could steal data and no one would be the wiser. Thousands of dollars of security go down the drain with one person who can take, download, or even destroy the hard drives of a company's vital server. Even worse, someone could implant a physical device to steal information over your own network without you being the wiser.
Does your IT organization assess your server's security in your environment? If not, it might be time to get physical with them.