Mobile devices shouldn't be managed like PCs
Beyond the money issues, I also see a lot of ignorance and flimflammery around the technical management of users' personal devices.
First, IT and vendors conveniently ignore the fact that very few organizations actually manage PCs like they want to manage mobile devices. They require encryption on mobile device but not laptops -- though the laptops' data is usually far more valuable and sensitive. Your management and security policies need to be consistent and aimed at risks worth the prevention efforts. Doing it for some devices and some data and not others shows that IT has no real security in place, just busywork pretending to secure the organization. Lock all the exterior doors, not just the ones you happen to walk by.
And realize the technology monoculture largely imposed in the late 1990s is dead.
Firmware and OS updates are not a concern you can address. I shake my head when I hear this pitch from vendors and concern from IT: needing to track the firmware versions and OS patches on mobile devices (which usually means BYOD devices in their minds). Of course, this is not done on employees' home PCs, but forget that. Focusing on mobile firmware updates and OS updates is a pointless exercise for a simple reason: It is out of IT's control. Apple makes its iOS updates available to all compatible devices in one fell swoop; luckily, most users apply them in the space of just a few months. Google's updates are rarely applied by its partner manufacturers or carriers, so the only thing you can count on is that no two Android devices will have the same firmware and OS version. It just ain't gonna happen.
But it doesn't matter. What matters is whether the devices comply with your policies. If an app breaks on a BYOD unit, tough luck, just as it would be if a user updated to Windows 7 or OS X Lion, or to Firefox 11 or IE 9, at home and finds one of your Web services no longer works. It's their device, not yours.
The fact is we don't see the kinds of OS-rev app breakages in mobile devices that we see in desktop OSes. Mobile apps are frequently updated -- much like cloud apps -- so most are quickly brought current if there is an OS-caused issue. Part of the reality of a heterogeneous environment is that you can't control or assure every aspect of it, so you need to focus on the high level and let go of the low-level details. Alternatively, you can choose not to support any user-driven technology.
What you can do, for iOS at least, is join Apple's developer program ($200 a year for a group license) and get the new versions seeded before release. That way, you can test your own apps and any you've as a standard installation. (That's not an option for Android.)
In any event, if your network and data security is dependent on endpoint devices having specific OS updates or firmware versions, you face a bigger problem. The core's security simply cannot be so dependent on the endpoints' state.