HandySolo, your .htaccess feng shui is good: it appears to have healed my woes.
the feng shui is mine.
So this directive stops the .htaccess directory inheriting the default mod_security settings.
Surely this is always an issue for servers running mod_security?
Surely, it is not. I have 2 blogs on two diff. servers. Both have mod_security compiled into Apache, and neither has this problem. Hosts configure mod_security differently.
Is there a reason the WP installation doesn't include a .htaccess file with that directive by default?
See above. Beyond that, its not WordPress' job to override something like that. And frankly, I would pitch a Digg-sized fit if the developers ever thought to do such a thing.