Of course there is a kill switch. This is one of the key features of an MDM/endpoint manager. You won't be able to sell one without it. It's also built in to apple's management protocol (which most endpoint management systems leverage) and in activesync.

You just have to secure it properly. Have limits to how many one admin can wipe etc. But trust me every company with managed IT assets has this capability. Often even in BOYD scenarios! Stryker just failed to secure access to it properly and to set sensible limits.

However, the feature isn't very effective in the field. It's very unlikely for an attacker to be smart enough to bypass the password on a stolen Mac which is needed to connect it to WiFi, yet at the same time be dumb enough to connect it to the unfiltered internet so it can receive the wipe command. The overlap between these sets of people is almost zero. We do fire a wipe at every stolen computer but I doubt it ever actually happens. If it ever happens it'll be a total end user fail (like writing the password on a post-it with the laptop)

Either you will lose it to a common thief who won't be able to breach the login (99% of cases), or to a really targeted adversary who has cellebrite or something similar and won't connect it to the internet ever again. This is still the most risky scenario because if someone like that steals it, there's bound to be something really valuable on it.

In practice this is something more suited to mobile devices.