Please forgive the rushed nature of this post, but after an hour of beating up the various moving parts associated with providing ActiveSync to an iPhone (and other ActiveSync devices), I had to put this out there, hopefully to prevent anyone else from this particular pain.
If you use forms-based authentication on your OWA server, you can't use ActiveSync -- they're apparently mutually exclusive. Also, you cannot require SSL connections to the /exchange virtual directory if you want to use ActiveSync. Large installations already separate these tasks to separate servers for load reasons, and don't run into this, but if you have a single Exchange server (as was the case here) you're SOL.
Of course, this means that FireFox clients never actually log off from the OWA server, since they're not using forms-based auth.
So, to wrap it up: If you want ActiveSync and a secure OWA implementation, you'll be putting up another Exchange front-end server just for that, or living with the fact that you can't require SSL connections or use forms-based auth with OWA, opening up some holes you'd rather not have open.
I'm feeling more secure already.