If you run a pentest, allowing rooted devices will almost certainly show up as a vulnerability. It'll be marked "low risk", but you'll also be told that you don't want to "accept risk" for too many "low risk" vulnerabilities.

So somebody then needs to say that this is not something they worry about rather than doing the easy thing and remediating it.