Statement 1 is true. If Statement 2 is also correct for you, then continuing to allow end-users to make software-install choices means you've accepted that your company can be compromised at will by almost any hacker. It means that with a minimum amount of effort your company's databases and corporate secrets can be compromised.
That's okay. All security is a cost/benefit trade-off, and different companies accept different levels of risk.
But it is a big risk to take. If you took the current risk of Statement 1 to management, followed by a statement that it's relatively easy for a hacker to client-side, socially engineer your employees, would it not be management's fiduciary responsibility to require a better defense?
If your current defenses can't stop a user from installing my trojan program and compromising your network at will, shouldn't you be doing something different to offset the risk? Maybe not desktop lockdown, but shouldn't you be doing something different, instead of just waiting passively for the inevitable attack?
If Statement 2 is true for you, and you do nothing different, it means you either don't believe Statement 1, or you are playing the odds that attackers won't target your company -- and if they do, they really won't do much real damage. Me, I'd rather gamble off company time.
My one best recommendation may not be for you, but if Statement 2 is true for you, and you are tasked with computer security defense, it begs you to do something different.