I am not a security expert or a developer, but this seems rather sloppy.
If it is just to display some data to a business user, even a functional consultant knows how to create and assign queries and add authorization checks (if you can't afford an ABAPer).
And if the business has to maintain stuff in PRD in z-tables- is it really that hard to create a transaction, which calls a maintenance view and assign it to a role? 
I've never seen SE16 granted to the business in any system... still digesting the idea... especially as for exchange rate display/maintain there is absolutely no reason to give SE16N - TCURMNT works just fine (in my sandbox table TCURR is the only one with authorization group FB32).
This means - either the FI consultant was not aware of a common standard transaction or somebody granted SE16N for all authorization groups... In both cases this is scary, but in the second case - I wonder if the users found PA0008/PA0015 