In all the businesses I've worked with, we've only cared about data security. BIOS lockdowns were not needed. USB, I won't comment on. Disable autorun, be done. Worry about firmware hacks? Meh good luck. If it's happened/happening, you are already screwed.
I deal with the state very...