Found it: this was happening whenever the URL was redirecting. Apparently, when a redirect using "Redirect permanent" happens, mod-security's phase 2 is not called.
The Ubuntu host that I used for comparison had other configuration differences which would cause the same URL to be served directly (and thus be subject to phase 2) rather than redirected. Sorry for the false alert. Regards, Alain
