It might be worth looking at devices in the sense of do we need to connect this to the internet or not?
Just throwing a device on the LAN does not cut it, why do you need to have this connected to the workstation LAN and Internet?
Build separate infrastructures, or at least VLAN it off in to it’s own network, control and monitor your access points. Block out bound useless services, why do people need to have web access from the server VLAN? Does your SCADA system really need to be accessible from the Internet or have access?
The point is not to “win” but to educate the stake holders so they can make an informed decision.