I can also determine how much time can pass before the passcode is required. I can choose Immediately, or after one minute, five minutes, fifteen minutes, one hour, or four hours. In theory, I could set the iPad itself to auto-lock after five minutes, but set the passcode not to be required until fifteen minutes. That means that at five minutes I have push the home button and swipe to wake the iPad up, but I wouldn't have to enter a passcode until fifteen minutes (and neither would a thief).
Again, security counters convenience and requires some sort of balance. Setting the passcode to be required immediately might be too tedious and inconvenient, but setting the passcode to be required after four hours is pretty useless. I have my passcode set for five minutes--just like my auto-lock.
One other important security feature in the General Settings is the setting to erase all data after too many failed login attempts. A dedicated attacker may eventually be able to crack a passcode given a limitless number of attempts. By enabling the Erase Data setting, the iPad will automatically erase all data on the iPad after 10 failed passcode attempts.
There is also a setting to turn on or off the feature on the iPad 2 that automatically locks the tablet when the SmartCover (or any other cover designed to take advantage of the magnets in the iPad 2) is closed. If you set the passcode to be required immediately, you can ensure that the iPad is protected every time you shut the cover.
These iPad settings help secure the tablet from unauthorized access, and protect the data it contains. They don't do anything, however, for malware or phishing attacks. Malware attacks targeting the iPad don't really exist...yet. That doesn't mean they can't or won't. There are a handful of anti-malware apps already available, and I am sure there will be more to come.
When it comes to phishing attacks, and socially engineered attacks like those on Facebook, common sense is still the best defense. You simply have to have enough awareness not to click on suspicious or questionable links, and not to fall for breaking news video scams, or bank account password scams, or any other phishing attacks.
The settings on the iPad may be fine on an individual basis, but for iPads in a business environment, IT admins need more control, and they need the ability to control security policies and protect data remotely--rather than having to configure the security settings on each individual iPad. For IT admins, there are more robust tools and platforms for managing iPads, but we'll look at those another day.
My iPad doesn't have the antimalware, anti-spam, or anti-phishing tools that my Windows 7 notebook does, but it doesn't really need tools like that at this point. When it comes to preventing unauthorized access and protecting data, though, the iPad seems to have adequate security available--but much of it is not enabled by default and requires conscious effort to configure.