It turns out that for a long time now Apple iPhones have been lying to Exchange Server mail hosts, telling the mail servers that on-device encryption is supported. It now transpires that only the recently-added 3G S model supports encryption through hardware, and this came to light when a recent upgrade made the phones tell the truth.
The unfortunate consequence for any business that has standardized on iPhones for remote mail access is that if they have required on-device encryption the iPhone has been breaking their security guidelines since it was installed. According to Apple their only alternatives are to change their security policies to allow iPhones to store plain text emails or upgrade everyone to the new 3G S device.
What a crock. Not only that, the iPhone users apparently had to wait until after they'd been upgraded to even learn that this issue existed. I am so glad I'm not a corporate Apple user.