In the mid to late 90's I attended a series of Cisco courses on installing and administering LAN/WAN systems. The focus during the intro sessions was on providing access to resources, the advanced courses focused on restricting access , traffic shaping, prioritized traffic flows and content filtering. The latter was broadly considered "security" features.
In the early going when public internet was still new especially for small to medium sized businesses with a small or no formal IT department, security was a vague concept, many organizations had little clue, those that did assumed it was a commodity a la " I'll have a monthly T1 service, $50 worth of security and uh, throw in some email and a couple extra IP addresses, please".
Meanwhile, at the enterprise level, Cisco's philosophy on implementing security was premised firstly upon stressing to a potential customer the need for them to establish a security policy. The overall idea is that the techs and engineers can't turn the screws on the equipment to effect security if an organization has not decided on or defined what their idea of security is in the first place. Given the technologies available at that time that philosophy was more theory than reality compared to the present.
When a person is using an upstream link to the web at the expense of some other person or organization there is at least some valid argument to the idea of "its my link, you wanna use it, fine but don't complain about our standard "policy" no matter how Orwellian it is". But what if service providers providing millions of wired and wireless links to rank and file paying subscribers.; or how about the backbone service providers routing bulk web traffic among peer backbone providers? Are they too entitled to implement and maintain, anonymously as it usually goes given the nature of how they fit into the scheme of the collective web, whatever restrictions, shaping, filtering, priority scheme that suits the whims of their particular policy or ideology concerning "security" ?