There are a lot of interesting conversations that come up when discussing R in the enterprise. Industry aversion to open source is definitely eroding, though (i.e. linux is becoming the de-facto standard for server infrastructure in many places).
In any case, this article does a good job of articulating an approach to "bringing R through the front door" of an org (even though R is prone to come through the back door)
I think you are right to point out the suspect reasoning that "open source = vulnerable." There is a lot of conversation to work through there.
Also, if you are thinking about security, it might be worth taking a look at RStudio's pro products if you haven't already, which are designed to integrate into enterprise security infrastructure without sacrificing the ability to play nicely with the open source R community.
Finally, I definitely advocate for building internal R packages to support your infrastructure. There is no reason that such a package needs to be "open source." In fact, I believe it is common for organizations to have "internal" R packages that are withheld from the open source community and make R data science easier internally.