Developers can have local admin because it's expected that you can trust them. If they betray that thrust, then they lose that privilege, and depending on the nature of their work that might mean they cannot work. Bad for them, but surely it was written in their contract.
It's never actually in a contract, these are always policies since employment is at-will.
But "they cannot work" is implying that person gets fired. I agree that serious breaches of security are a firable offense, because it's plainly a fact that people get fired over them.
Generally, though, developers are fairly hard to replace and anyone who is hard to replace is equivalently hard to fire.
So most security policies have to work out some kind of compromise between those competing interests.
Some of the US might be at will employment, but it's not like that everywhere. In Denmark employment is not at will, but you can only fire someone if there is just cause. This particular scenario is in the security policy, and in my contract it's stated that I will follow that.
