Forgot to include this: in addition to the UDFs, we've also decided to use a stored proc to wrap/hide the open symmetric key business.
create proc dbo.spOpenSymmKey
as
--open symm key if not already open
set nocount on
if not exists(select 1 from sys.openkeys where key_name = 'MySymmKey' and database_name = db_name())
open symmetric key MySymmKey decryption by certificate MyCert;
go
PS - Would have been cool to embed this functionality in the fnEncryptxxx UDF, but cannot because it causes a "side-effect" and SQL won't let you.