I recently went through a similar proof of concept corporate iPad deployment and had the same questions walking in. The direction we went might not be the best solution, but it worked for us and maybe it will give you a hand with your deployment.
Know your Audience
Early in our deployment it became glaringly obvious that this would have to be a simple solution. Apple devices are designed to be simple, that's the draw in the corporate world. Our main audience was managers, VPs, and CXX level executives. A good number of these folks either aren't technically savvy enough to deal with a complicated configuration, or simply don't have the time to fuss with a device.
It should just work, out of the box, like it was designed.
Just Say NO to Multiple Accounts
Firstly I can see one big problem with your initial plan. By stating that you have an account created with a secret password I'm assuming that you're having a helpdesk configure the devices and install the software before they're handed over to your end users. What happens when an application is updated in the AppStore? Your helpdesk will have to enter the password to have the application updated. Depending on the size of your company this could eat up a ton of time, and most of your end users most likely won't ever bother to go through the process to upgrade.
Additionally, when John Doe leaves the company, the software purchased for jdoe@acme.com will be assigned to John's replacement Fred Flinstone and his iPhone. You now have fflinstone@acme.com using the account jdoe@acme.com. It might not be a big problem at first, but this will easily get difficult to manage down the road.
Mobile Device Management
Depending on the size of your deployment you might eventually start looking at one of the many Mobile Device Management (MDM) solutions out there. We did. It's likely that things will change in the future, but as of this posting we didn't find much that an MDM solution would bring to the table that our Exchange environment wouldn't already provide.
MDM offers a simplistic way to deploy VPN, Wi-Fi, and user profiles. If you're not using Exchange or aren't comfortable with rolling your own solution you might gain more from one then we were able. Other benefits would be device tracking, and enabling your helpdesk to do basic device troubleshooting, device wiping, remote locking, etc. Read the link to Wikipedia above for more information and a decent list of the bigger vendors in the field.
Application Purchasing
We first identified a list of applications that we would recommend for different tasks, and published the list and relevant links on our company intranet. Initially we installed a few applications when we initially configured the device, but ran in to the time problem above. We calculated a total estimated dollar figure of all applications that an average user would purchase and bought gift cards for that amount + an additional X% for growth. This was more convenient for how we do purchases then gifting would have been.
Apple recently announced their Volume Purchase Program (VPP), and you might want to look in to that if the solution above isn't any help.
Further Reading
Best of luck to you, we learned that smart devices in the enterprise is a rapidly growing environment and there's no "right way" to do things yet. Apple is constantly improving their tools to make the transition better, but they're not quite there yet.
The iPad will allow you to run any app installed on it, no matter what Apple ID it is associated with. You will need to switch to your account when you first download the app, and then switch back. The app will continue to run normally, and if there are any updates you can download them without switching accounts (the App Store will ask for your account's password). I am not sure which account will be used if you try to make an in-app purchase, though, so be careful.
Best Answer
Your ideal deployment scenario depends heavily on a few factors:
You will run into problems using one Apple ID for deployment as well as licensing issues since multiple installs for one Apple ID is only allowed for personal use. I would start by reading Apple's standard software license agreements and decide if you want to have a layered deployment where some apps come from corporate and some personal Apple ID or if you need to do a little more planning before knowing what option fits your needs best.
The cost of labor calculation is the one I see businesses mis-estimate substantially as they sometimes fail to estimate how interested or capable their employees are in self-servicing their computers as well as how effective iterative solutions and building a team that can self-solve and self-train is not only for making good choices for trivial tasks like app updates, but also for productively using technology to solve business problems in general.
By managing the attention and energy of employees, sometimes you will want to make different choices and looking at computer management in isolation can yield a good solution, but taking a broader view and self-assesing where the business needs to head can color the tactical choices you make for managing computing assets.