While I'd agree with your position on locking down policies for a sub 1000 user organisation, That rule of thumb is completely flipped when you scale up to multi-site, and even globe spanning organisations where helping the temp receptioninst 200 miles away get her machine to run smoothly because she's installed yet another browser toolbar, simply isn't practical, and training for a role like the callcenter staff with such a high turnover is simply a black hole.
For such low level staff as this, turn-key reliability is key. For machines such as this, which make up the vast majority of nodes in large organisations, a profile for the job it is required to do must be created and replicated. Let us not forget that the biggest singular threat to security is the user (and therefore any executables they click) running with admin rights.
A highly competent admin can create a machine profile that allows the user to perform any and all duties involved in their job role, while at the same time locking it down so well that any support call regarding said machine can nearly always be attributed to catastrophic hardware or software failiure, for which automated response systems are in place.
But getting back to laptop specific issues, the two biggest challenges presented are data access, and automated resource configuration.
Data acccess is simple with a desktop within your firewall. It's on the server, and rightfully, that's where it should stay. Laptops force you to make compromises. One of the most logical solutions is external access. FTP is an all-out insecure disaster waiting to happen, and more often than not, too complex for a great many sales reps who, let's face it, were hired for their people, not IT skills.
VPN is a much more elegant and secure solution if done right, and is relatively transparent in use to the end user, but can (and often does) fail if whatever net connection has ports blocked, or worse still, if the user cannot gain access at all. 3G coverage is by no means all encompassing.
For the hard-core roamers, this leaves synchronisation, which is frankly, a pain in the arse. Completely side-stepping the blatantly obvious security implications, every IT bod who has had experience with Outlook will know that the most common failure point is the offline cache stored within its .pst files. Other forms of synchronisation are no different, especially when both offline and online versions of files are modified between syncs, I could go on (and on)...
The other challenge is resource configuration. Things like printers, proxy settings, and network drives that differ between site and domain. The user who has already been conditioned to expect such resources to 'just work' within the desktop environment, now expects them to dynamically adjust wherever they go. Woe betide if Word takes a full 40 seconds to load because it's timing out waiting for a disconnected network printer to respond.
The real kick in the teeth is that there is no ideal solution, even in a theoretical environment. Data access is an obvious AND/OR compromise, but dynamic resource configuration also eats away at CPU time the more frequent the checks (startup/logon is no longer adequate, thanks to suspend/hybernate and sometimes not even that between changing sites). Because of this, portable machines will always be a higher maintenance cost by several factors than their desk-chained counterparts.