As of now, we've disabled MDS and have a 30 minute idle timeout policy and 60 minute mandatory timeout. In the desktop world, timeout is 10-15 minutes. Password are also initially mandatory but optional.

...I agree with you, sacrifices made in direct objection to corporate security policies is, without a doubt, quite upsetting. But at the end of the day, you aren't the one signing your own check, right?

In all honesty, your best defense against these sacrifices would be end-user education... but then again, you'll always have those that simply will never 'get it'. In the event of stolen/lost equipment, you may want to make sure that it's policy and procedure to make a call directly to someone who can access the BES user accounts... of course, that is one of those semi-enforceable procedures that will often be ignored and very hard to audit.