The short answer: Each tool has important capabilities that the other lacks. For managing our fleet of iPhones (and iPod Touches), we'd prefer to use them in combination. For shops not running Exchange, managing iPhones with the iPhone Configuration Utility alone has one critical drawback: Should the phone be lost or stolen, an administrator cannot initiate a remote wipe of the phone's data or receive confirmation that a remote wipe occurred. But we found that managing iPhones via Exchange is no substitute for using the iPhone Configuration Utility.
iPhone Configuration Utility 2.0: Powerful but not scalable
Apple's free iPhone Configuration Utility, boosted to a 2.0 version when iPhone 3.0 OS was released, has a rich array of policy controls that give IT great authority over iPhones and iPod Touches. The UI is easy to use, with various capabilities broken into "payload" sets that you switch among and configure for a given configuration profile. And they really do work, strictly enforcing their rules on the client devices.
The policies can be set so that an admin password is needed to remove them, as well as to allow or completely prevent user removal. (For an IT admin to get around full removal prevention, you need to connect the device to your PC or Mac and run iPhone Configuration Utility's Remove feature on that device. That certainly gives IT control.)
The configuration utility has the password controls you'd expect, such as enforcing password entry to use the device and specifying restrictions (number of characters, disallowing repeating patterns, requiring a minimum number of characters overall and of symbols in the password, maximum password age, number of intervening unique passwords before one can be reused, and grace lock period before a password is required again). A key capability is being able to set how many failed password attempts wipe out the device's data, which turns the device into a brick. (A "bricked" iPhone can still make emergency calls, but that's it.)
If you're concerned about employees' nonwork activities, you can block access to explicit content; use of Safari, YouTube, and/or the iTunes Music Store; the ability to install apps; and the ability to use the iPhone's camera. But if you want to disallow specific applications, too bad. The only way to do so is to install the permitted apps on the device first (or remove the unpermitted ones), then disable the ability to install apps -- but that also disables app auto-updating.
You can also install credentials via profiles, which is handy if you want to require credentials for e-mail or VPN access, instead of using plaintext passwords that users might copy and use elsewhere. Other configurations you can set include LDAP server information, subscribed calendars, and a default Web clip (essentially, a Web page that appears on the Home screen as if it were an app, such as to your Web e-mail page or customer order lookup page).
You can create multiple configurations and apply multiple ones to individual devices. Thus, you can layer configurations rather than develop a custom profile for each and every device. For example, everyone might get a profile with Exchange, LDAP, password, and application access settings for your corporate standards. And you might have a separate VPN profile that only some users get, and a separate Wi-Fi profile that restricts some users to specific wireless LANs (based on SSID).
One warning on the tool: If you open a payload's settings and don't close it (click the minus icon), the profile includes all the null values for that payload, which essentially prevents users from accessing those settings. You can use this intentionally to, for example, block all Wi-Fi access by only allowing access to null SSIDs (which is not the same as any SSID) -- but it's easy to inadvertently prevent access you didn't mean to block.
The Wi-Fi configuration also doesn't let you require a certain minimum connection security (such as WPA2) for any Wi-Fi connection; you can only require minimum security protocols for specific SSIDs. That's too bad, as it would be useful to allow access at all Wi-Fi access points that meet a certain security requirement.