I'm pushing for a 20 minute timeout as a hopeful best compromise between security needs and the usability issue, coupled with the lock when holstered option. I'm also trying to get a hard-coded policy in writing about reporting lost or stolen Blackberries ASAP for remote-initiated locks or wipes.
I agree 100% with you about the security need and empathize with the headaches caused by getting this past the user population.
Being a user myself, I'll take the inconvenience of having to type a simple password every 20 minutes vs. the considerably larger inconvenience of having proprietary company information exposed to a thief.
I think Jibi has posted a great idea of getting any denials in writing. That kind of accountability, especially with an executive, might be enough to bring reason to the forefront of this issue, and like Jibi said, it's a great CYA at bare minimum.