Wasn't CESG who mandated this...
NPIA had the option of those or Barron McCann X-Kryptor's and chose the AEP's because they have superior key management and the ability to update keys over the wire without having to visit the encryptor or send out the updated key mat to the local force IT team. They actually pay for C&W to manage the encryptors on their behalf.
Forces had the option of either having CONF enclaves (a CONF network in a room) and having all xCJX workstations linked to a single AEP ED20 unit via a local switch, or they could have individual CONF machines dotted around their force networks, in which case they needed an AEP Net Remote encryptor for each individual workstation (Net Remote is a personal VPN encryption device designed for remote workers) to allow them to tunnel back to xCJX over the force network. It was the force decision which they chose, some forces decided that they would do all xCJX access from a bureau service, others that they would have scattered workstations, it depends on the geography of the force.
Police Force IT security is notoriously lax, a lot of the forces I am aware of don't even comply with the CESG guidelines for the RESTRICTED data they hold on their networks, mainly because they have little experience or budget to afford the security devices that are required.