Particularly given that "air-gapped" networks can still be compromised via numerous methods by a determined attacker, so the more avenues you secure effectively, the safer you are.
It's one thing to design a hardened network design because it's the right, safe, or proper thing to do. Because it's beneficial to design. Because it's a security requirement for a sensitive installation.
It's entirely another thing when you're having to recommend hardening a network above and beyond what is inherently necessary or beneficial - and risking falling into the "so secure it's no longer useful or accessible" territory - just to make up for shortcomings in the devices you're attaching to your network.
Fact of the matter is if you're having to secure your network because your security devices are known to be inherently insecure, you're just plain doing it wrong.
Just because all devices can be insecure, and to some degree should be treated as such, does not mean all devices are insecure, nor does it take the onus of shame off security devices that are, in fact, insecure, with known, inherent security flaws that can only be remediated by disconnecting the network from any other point of entry.
NOTICE: This comment was moved from an existing discussion: Always Choose HIKVISION