…this could be an easy entry to the corporate network

Any business, past the ‘mom and pop’ stage does not have the WiFi access to their internal network. There are a number of ways to accomplish this, simplest is a separate connection to the ISP(s), either directly or via a virtual network. They also might be using their firewall’s DMZ functionality so devices on the WiFi cannot access the internal network, but devices on the internal network can access devices in the DMZ (for easy maintenance). Anybody with a WiFi device who needs access to the corporate network gets a VPN. Then it doesn’t matter if they’re in the office or in Timbuktu, Well, for that latter, you can control what IP ranges you’ll accept an incoming VPN request from (and so get large scale geo boundaries). But that’s a different issue…