Hi Julius,
as alway with security, there is no one size fits all. It depends for instance on your workforce If you have a high number of consultants working on Dev and Q, in many cases you want them not to get onto your prod systems.
However this is not the only reason. Usually a system has not only the STMS connectivity for the chain but is interconnected to other systems as well. Just one (real life) example from the past. A customer did copy his prod system to Q and then did some testing in there. However they simply forgot to reconfigure the service connections to let thempoint to the other Q systems and left them pointing to the other prod systems. As there have not been any firewalls in place, thoses connections did work. You can now guess what happened.
The reason you may want to split the zones for prod and dev often is not for the single system but really to have no business connectivity between the systems of the different zones to avoid the above, be it intentionally or by accident.
I'm with you, that if you have only one DEV/Q/Prod line with no other connectivity requirements, setting up different network zones for this may be a bit of an overkill. However I have not seen a customer so far, that had such a setup.
Regards,
Patrick