The security policy shouldn't be; the logic determining what gets displayed where should.

I disagree. The template isn't the right place to decided what to display, it's the right place to decide how to display it. This is fundamental MVC theory.

it's a fault of management stupidity

You may be given retarded, rapidly changing requirements, but that's no excuse for inflicting them on your HTML designers!

-sam