Do companies spy on other companies?
Solution 1:
Yes and no. There have certainly been cases of people snooping into the business of other people. There's been cases of people getting access to corporate secrets by sheer dint of social engineering.
If everyone within the company knows that you only ever reveal passwords by encrypted email to within the company or by handing over an envelope with the password inside, anyone who tries to social-engineer access from you suddenly has a bigger problem.
They can't just phone up and go "It's Bertie. YOu know I'm off on holiday" (this information handily provided by the corporate policy on having an accurate out-of-office message) "and I wanted to do some quick checks on the doodah, but it seems my remote access password has expired. Could you reset it and tell me the new one?"
Mostly because they'd then have to say "Sorry, Bertie, you know you have to pick that password up from our nearest office, identifying yourself with the corporate ID badge".
Same thing goes for IM. Can you tell from the chat window exactly where the oter end of an IM conversation is and who's physically present at that end? If you can't, revealing something sensitive runs the risk (remote as it is) that whoever you're talking to isn't who you think.
Of course, there's always the need to balance convenience and security. It may be that revealing passwords over phones and IM sessions is convenient enough (and frequent enough) that it outweighs the security implications. I cannot tell you if that is the case for you.
Solution 2:
Whether this manager is right or not, there is a lot to be said for finding a good balance between behaving as if he is correct, but without stopping the progress of the business.
I hate the term "paranoid" to describe secure business practices, by the way. Unless the precautions are truly over the top vs. the risk being addressed there is nothing "paranoid" about treating company and customer information carefully.
Keep in mind that someone might not only be trying to 'steal' business secrets in the sense of future secret projects, but also things like internal price lists and customer details (useful to a competitor who would like to undercut you).
Also consider criminals who might quite like to steal the list of customer details including credit card numbers from that poorly protected, unencrypted CRM database that everyone knows ought to be updated but no one ever gets around to doing. This latter example has certainly happened often enough to be a real concern.
The precautions you outline in your question are certainly not any evidence of security "paranoia" as far as I'm concerned. I'd say those are part of the absolute minimum standards that any business that was serious about protecting its own interests and liabilities plus those of its customers ought to be doing as a matter of course.