I was at a subsidiary of a very large company and had work slack, email, and all my code on my phone, without even the thing that lets them remote wipe your phone.
It has to do with culture and willingness to put in the effort by the security organization
Not exclusive to IT; I had to weigh the benefits of continuing to work as a caregiver for a small company, versus working in retail for a massive chain (which translates to fantastic insurance benefits.)
Eh, it doesn't need to be, you just need to do the work of putting together granular access controls that can account for your risk profiles.
The risk isn't much different between a company owned telephone and a personal telephone.
They're both susceptible to most of the same attacks, or being left on the bus.
Fuck their data, what about my own? That pest of an app is not getting onto my device. And neither is anything else that gives an employer any control over my device.
For clarity, the android feature essentially makes a work dedicated partition on the phone. Their management app can manage that partition, and for the purposes of data movement it's essentially a distinct phone.
If they've set it up correctly they can do a remote wipe without touching your personal data.
In a lot of cases the drive to have users use their personal devices rather than employer owned ones comes from the users, not the workplace. Only needing to keep track of one device is easier in many cases.