Currently we have the Airlink Security off in our 450, 450i and 450m AP's. Are others enabling it? Is there a significant overhead cost? Other pros/cons?
There is no performance penalty at all as it is done in hardware. No cons that I know of except if you have a mismatch in your SMs / APs when you turn it on then you will strand the SMs that are mismatched.
That is if you have a handful of SMs set for AES and you turn on DES encryption in the AP then those AES SMs will not be able to register to the AP.
Encrypting the air interface of the Cambium radios has long been a debate. While a purist might say that "Security through obscurity" is not really security, one might argue that because Cambium uses a completely proprietary air interface, it is inherently more secure, therefore additional encryption of the air interface is not really necessary.
For example, one cannot take a non-Cambium device and sniff or capture traffic, such as you might be able to do with Wi-Fi or even LTE devices. Because they are standards-based, other devices can easily sniff and capture packets.
Encryption for standards-based devices is essential, and in my mind, mandatory. For peace of mind, and essentially a "best practice", I would also highly recommend using Airlink Security. We will be introducing 256-bit AES capabilities on the 450 platform in the next major software release as well.