192.168.1.x more exploitable?

This will add at best a very thin layer of "security by obscurity", as 192.168.x.y is a way more commonly used network address for private networks, but in order to use the internal addresses, bad boys have to be already inside your network, and only the most stupid attack tools will be fooled by the "non standard" address scheme.

It cost nearly nothing to implement this, and it offers nearly nothing in return.

Sounds like billable busywork to me.

Aside from the fact that many consumer appliances use the 192.168.x.x address space (which can be exploited, like anything else), I don't feel that really changes the security landscape of a corporate network. Things inside are locked down, or they aren't.

Keep your machines/devices on current software/firmware, follow best practices for network security, and you'll be in good shape.

Sounds like your IT firm wants some billable work to me.

The only legit reason I can think of to stay away from the 192.168.0.x or 192.168.1.x subnets are due to the likely hood of having overlapping subnets with vpn clients. This is not impossible to work around but does add some complication to setting vpn's up and diagnosing issues.

One big advantage to not using 192.168.x.x addressing is to avoid overlap with users' home networks. When setting up VPN it is a lot more predictable if your network is distinct from theirs.