From what I remember, S/MIME-based encryption in Exchange was not intended for obfuscating the contents of the email. Instead, it was for validating that the original email was unchanged. From what I remember, being involved in writing the original RFC-style protocol documentation for Exchange, this was a known aspect of how S/MIME encryption worked. There always has to be some unencrypted part that leaked information, because the extended headers often contained identifiable information as well. How do you pass a public key in an extended header when all the extended headers are encrypted, was root of the problem, and the message-body was just a longer-length version of that same problem. That's why they eventually went to SMTP over HTTPS/TLC, so that the encryption encapsulated the entire connection.
Or, I could be remembering it wrong, too :D. But, this rings a loud, clear bell in my recollection.