Once upon a time I spent a total of 4 hours (over three days) in meetings, stating that I will definitely not approve a security exception. At least, not until someone demonstrates that the exception requested, removes the root cause or is a valid workaround.
The requester asked to open a hole in a certified network architecture, something I obviously did not want to do; especially when there was no reason to do it! The intensity of the request, accompanied by the oh-so-common "threat to escalate" was annoying me.
Not even 5 minutes after I heard the problem, I was 90% confident it was DNS related - leaving the rest 10% as network misconfiguration. After all, as us greybeards and previous sysadmins usually say, it's always DNS. I knew the answer and could solve the problem in less than half an hour. Despite that, I chose to treat the rest of what ended up being another 3.5 hours, as a training opportunity for the teams involved. The teams had to focus on network configuration, deductive reasoning and troubleshooting techniques.
I consider that "time well spent". This is part of developing our people and teams; we let them fail, we set up walls so that they find - on their own - the proper way around them. If I had told them immediately what the problem was, I would have missed the opportunity to have them think differently, and hopefully understand better how networks work.