In the context of the question i think the terms push/pull are confusing and become moot.

I think @wilhelmF is coming at this from the position: If a wouldbe miscreant could compromise the DS, he can onward compromise all the clients without further lateral movement - this is because the clients 'trust' the DS.
On the other hand, by reversing the process, a single compromised client, can extend its reach no further, as no other clients nor deployment server trust it.

Puppet and Ansible still have the same security cascade issue as the DS, except the authentication is reversed - the server has to authenticate to prove it has appropriate permissions.

My comment above was to highlight that its not the direction of the push/pull which should be of concern, but the authentication and defence around those sensitive management assets. - whilst its always a good idea to lock your front door, don't be surprised if someone climbs through an open window.
With this in mind, I know I would rather manage one house, rather than a whole street. 🙂

Having clients phone home to a single server which you can verify with a certificate is a far more secure means of operating than the inverse.

I think you should take the opportunity to explain to security how the DS/DC architecture works, and why their request would be counter productive from an overall security standpoint.
(ie, one remote system with which to confirm identity, versus hundreds or even thousands)