It sounds laughable, but I’ve seen small Salesforce orgs in which all users were System Administrators.
On the other side, I’ve seen a single admin for an org with more than 200 users.
The general recommendation is 1 admin per 75–100 users, and some suggest 1 admin per 50–75 users.
My recommendation is similar, but regardless of the org size, you should always have at least 2 admins. I’ve seen situations in which an admin gets locked out, so having that 2nd admin avoids opening a SF case for help.
The main reason for this is: you need to save your client from themselves. As the expression goes, “With great power, comes great responsibility”, and some users aren’t sufficiently trained to handle all that power.
So limiting their access isn’t just best practice, it’s an intentional effort to prevent needless mistakes
The takeaway
The concept of least privilege is so that users only have access to what they need, and nothing more.