Forgot to include this:  in addition to the UDFs, we've also decided to use a stored proc to wrap/hide the open symmetric key business. 

create proc dbo.spOpenSymmKey

as

--open symm key if not already open

set nocount on

if not exists(select 1 from sys.openkeys where key_name = 'MySymmKey' and database_name = db_name())

        open symmetric key MySymmKey decryption by certificate MyCert;

go

PS - Would have been cool to embed this functionality in the fnEncryptxxx UDF, but cannot because it causes a "side-effect" and SQL won't let you.