I act as a risk advisor for my employer or client. It is never my job to say no — it is my job to determine the security implications of their plans, and to present in a logical and empirical format the risks they will encounter. It is up to the owner/users/operators to determine if they want to accept, mitigate, or transfer that risk, and to what degree.
If you want a frustrating and unrewarding career in security, try being Mr. or Ms. “No.” The people you are charged with supporting will avoid you, they will try to end-run your policies, and they will label you a job-stopper. Try saying, “Sure you can do it that way. Here are the risks you will be taking on…” It is better than being beat up in the alley after work or getting a wedgie in the office bathroom.