Remote wipe in Exchange ActiveSync is only useful when a user loses his or her device, and even then, it is lacking since you cannot reach out to the device and wipe it. Remote wipe in Exchange ActiveSync is utterly useless when people are terminated from their employer.
In the case where you fire an employee and want to remove your organization’s confidential data from it, there’s a big ol’ hole that Jesper describes quite well. There are various mitigations that might seem to apply, but most of them revolve around preventing someone from connecting in the first place, or in blocking their ability to connect after you fire them or whatever. For example, you could use client certificates so that only devices with certificates could connect, but then only as long as the client cert remains valid. That doesn’t solve the wipe problem, though.
A related problem: the current device wipe implementation on most phones resets everything and completely erases the phone back to its factory state. Users lose all their apps, personal data, and so on: not a great experience for them (though one school of thought says that you just fired them, so who cares?)
It seems like it would be reasonable to do two things. First, allow sending the EAS wipe message to a device even if it fails to authenticate. If the device has an existing sync relationship, and it tries (but fails) to authenticate, just send the pending wipe message to it anyway. Second, give admins the choice of whether the wipe message requires a complete wipe or only deleting data that came from the organization originating the wipe message in the first place.