OK, am I being stupid? The change to mitigated will still allow unpatched clients to access RD services. From the table in the documentation, in the row for 'Mitigated':
"Client applications that use CredSSP will not be able to fall back to insecure versions."
"Services that use CredSSP will accept unpatched clients."
So clients won't be able to connect to unpatched servers, right? But servers will still allow unpatched clients unless the server is set to 'Force updated clients'. Which MS aren't planning on doing. Which makes the opening line complete round objects.