Generally IT c-suite people tend to have at least some idea (depending on the company of course). If this were the more general c-suite teams, maybe. But in my experience, technical c-suite tend to be quite knowledgeable. What I find is more common is where the security team and the IT department identify an attack surface and then implement a policy without working their way through it (and dragging the c-suite with them). I have seen directives come down that have not had much thought provided and it doesn't get flagged as a concern until it gets to the engineering team or implementation teams.

In this case, one of the teams must have identified drivers as a vulnerability for their scenario (eg, they notice lots of unidentified devices appearing in their asset library which require specialized drivers). This likely caused a knee-jerk directive from the security team (and a potentially messy cleanup job for the support desk/engineering team). I would have suggested a review of the unidentified devices to understand what is being plugged in (categorized, reviewed for security implications and risk analysis) list what device driver packs are included in the gold image (hopefully removing obsolete, useless or risky drivers).... then publish a list of supported devices in a support portal and then broadcast the directive (there are some other steps, but you get the idea).

Industrial espionage is big business these days so it's not a surprise. It's just the implementation that is a concern. A lot of teams are running around with their heads cut off due to all the new security issues being identified (on a near daily basis it seems)