It doesn’t matter if the code is open here. Depending on what your company does, it might be cheaper to buy ready to use products by some vendor than paying software/sysadmin guys to review, deploy and maintain. It can be even required by law. Needless to say there are many software vendors selling contract for open software, either hosted or fully deployed and supported. Still in many fields like medical due to vendor lock ins there aren’t many feature complete open software and you need the programs to be reliable, usable by non technical people and virtually unchanged over long time. To provide these guarantees without depending on proprietary vendors means to make your own software company (and perhaps open up your work not to become just another closed software) and nobody does that.

Security works kinda the same. But in these contexts if someone uses privacy and security together like this it’s probably just bs.