It's due to the way AT&T chose to authenticate the customer end. AT&T uses
802.1x certificate-based authentication, which requires a signed certificate on an
authenticator (the AT&T RG). In a 802.11x system, AT&T (or the
authentication server controlling authority) can provide the signed certificate if they want, but sadly for practical reasons most customers would hardly know what to do with said certificate. With AT&T I'm not as annoyed about needing the extract the certificate manually, than I am with the $10/month mandatory charge for the RG. Typically they waive the RG fee for the first year, though thereafter $120/yr for something you won't be using is a bit annoying.