Hi
It is for security reasons. We want 2 layers of authentication for all external access. A personal (complex) password (from AD) in addition to a PIN (from RSA) makes a more secure solution. Especially when you use On-Demand token codes. These codes are usually sent to the users mobile phone. If the phone is secured with a PIN, the user probably uses the same PIN on RSA and as a passcode to the workspace client...
Another thing I would like to see in Horizon Workspace, is a session timeout policy...