IMHO – Operations should typically handle OS & application upgrades with a review by Infosec. Infosec should be responsible for defining rules and monitoring effectiveness and issues.
I agree. Having InfoSec making the changes to the systems and then monitoring them leaves you with a situation where there is no oversight. Never let infoSec or any other group able to operate without oversight. As much as you trust someone it leaves to much of a temptation.
Your people in InfoSec should not want to be in this possition.