Corporate development choices are driven by the imperative to rapidly deliver customer value. Developers have their own values (language preferences, philosophical agenda, etc.) which sometimes conflict with this imperative but when push comes to shove, a CTO's job is to "get it done."
The great advantage of Web Apps for corporate development, and to a slightly lesser extent for ISVs, is the "touch once, fix everwhere," deployment model. The hyperlink and button Web UI paradigm has a "don't make me think" advantage and is easy to develop, but really, what makes the Web ideal for corporate development is that because corporate apps evolve in a much-less disciplined manner than commercial software, Web-based deployment can get a fix "into the field" in a matter of hours.
Visual Studio Tools for Office gives a hint of how Web-based deployment can be combined with the ultimate fat client: Microsoft's Office suite. The problem is that even VSTO does not yet have an appealing solution for bestowing trust. There needs to be an easy yet completely trustworthy rights-granting process: in a completely trustworthy manner, the publisher identity and a comprehensive list of security requests must be presented to an administrative actor (either a sufficiently trustworthy end-user, a remote operator, or a system process). Basically, .NET's got the publisher-identity stuff down, but the list of security attributes and process by which rights are granted are too obscure.
You need something along the lines of a firewall: I was just configuring a system for my sister and got an alert that something called "Backweb" was trying to access the Internet. I Googled for it and found that it was the result of having just installed a Logitech device: okay. Remove the step of having to manually Google for an explanation and extend the firewall-like "Allow, Allow once, Block once, Block forever" across all security attributes and you've got the type of UI I'm talking about. Modify it so that instead of my sister getting the message I could set up her system to pass the security request to me (her sysadmin) for either manual or automated decision-making.
Short of that type of capability, the fat-client model will always be less appealing than Web Apps on the deployment front.