I concur. When rolling out a password policy, if the user does not have a password set, it will immediately prompt them to enter a new password and have them enter it a second time for verification.
I also recommend that the timeout value be set initially to the maximum (60 min) so that the constant timeout of the default 2min doesn't drive your users nuts. This might just be an initial setting that you wittle down over time, but i can speak from experience, you are going to have people asking how to get rid of the password prompt, it's inevitable.
I told my users it was part of an upgrade to our BES server which was required and that there was no way to remove the password requirement.
To make it simple for our users, we recommend that they use their login ID's as their password for their BB. It's simple usually and requires no special characters. If someone were to loose a blackberry device, the person who found it would in almost all cases not know the ID of the person who lost it. We take the approach that the password on these devices is simply there to buy us time. Enough time for a user who looses it to contact us and have us remotely wipe the handheld.