Unsurprisingly, Enterprise IT is preventing good encryption because their security devices suck. Sorry, I mean they increase security by intercepting all the traffic and logging it.
The use of proxy servers/middleboxes is reducing the security profile by using weak ciphers after interception.
Network traffic inspection, including TLS traffic, in enterprise environments is widely practiced. Reasons for doing so are primarily related to improving enterprise security (e.g., phishing and malicious traffic detection) and meeting legal requirements (e.g., preventing unauthorized data leakage and copyright violations). To analyze TLS-encrypted data, network appliances implement a Man-in-the-Middle TLS proxy, by acting as the intended web server to a requesting client (e.g., a browser), and acting as the client to the actual/outside web server. As such, the TLS proxy must implement both a TLS client and a server, and handle a large amount of traffic, preferably, in real-time. However, as protocol and implementation layer vulnerabilities in TLS/HTTPS are quite frequent, these proxies must be, at least, as secure as a modern, up-to-date web browser, and a properly configured web server (e.g., an A+ rating in SSLlabs.com). As opposed to client-end TLS proxies (e.g., as in several anti-virus products), the proxies in network appliances may serve hundreds to thousands of clients, and any vulnerability in their TLS implementations can significantly downgrade enterprise security
Enterprise security breaches TLS using a MITM. This prevents safe encryption after the point of interception, importantly, the quality of their software is poor.
If the proxy does not implement a proper certificate validation mechanism, invalid and tampered certificates could be accepted by the proxy, and the clients (as they see only proxy-issued, valid certificates). Accepting its own root certificate as the signing authority of externally delivered content could allow MITM attacks on the network appliance itself.
Link: The Sorry State of TLS Security in Enterprise Interception Appliances Louis Waked, Mohammad Mannan, and Amr Youssef – https://arxiv.org/pdf/1809.08729.pdf