It's common for the people administering a company's public website and mail servers to be different people than the ones administering desktops and printers and Active Directory.

And the last of those is a major contributor to this since it wants to take over the domain it's on. You can solve this by delegating a subdomain to it, but now your internal use domain is longer, and there are security implications to this because now unrelated internal systems may e.g. have access to cookies set for the public website. Or have the ability to issue dynamic DNS updates, so an attacker who compromises a random low-level internal system can point a name inside the company's public domain to their own servers and even potentially have a TLS certificate issued to it via ACME, even if the public infrastructure hasn't been compromised.