VPN access doesn't have to be all-or-nothing. They could (and should) lock each employees VPN access down as much as possible, i.e. support personnel has access to their support tool and nothing else, etc.

Production hardware should be on a separate network/VLAN/whatever anyway.