When it comes to business critical, never. Warranty support trumps all. Right now, the problem is future support. While almost any machine even from the IvyBridge era of CPUs is powerful enough for today's basic usage; Win11 requiring TPM from the gen8 chips or newer or Ryzen Zen2 or newer pretty much makes it pointless to buy used right now.
Getting a used desktop machine that would support Win11 isn't even half the cost. I just don't think the ROI is worth it right now. When prices come back down it might make more sense though, like it used to.
As for security concerns. I'm going to wipe and image every machine anyway, typically going to load a more updated UEFI image as well, so not really. Worth poking to make sure someone hasn't installed a USB DOM or something though on the board.