All the enterprises that have deployed in RFC4193 space are using IPv6 NAT. It's been available in OpenBSD (a popular IPv6 Firewall/NAT device) for several years. If cisco hasn't deployed it yet in their ASAs, they will soon.
Enterprise cannot leak their internal addresses, and, if they do, they want it to be something that nobody can make use of/route to.
IPv6 NAT (or, more precisely, PAT/NAPT) is pretty much identical to it's IPv4 ancestor. One external (globally routable) IP Address which represents the entirety of the internal IP address space. If you are on a corporate LAN, and your IPv6 address is from the RFC4193 range (it starts with "FD" e.g. FDC2:D343:1234:5678:..." ), and, you are accessing IPv6 resources outside your company, then some kind of PAT/NAT/Proxying is taking place.)
The brilliant and problematic property of the translation (and why I think it will catch up) is that it allows to easily make your today's problems someone else's problems five years down the road. Noone gives a ding about what happens in five years in one's network - let alone the larger internet.
BTW, next time you talk with the "address-hiding security" fans, check what result they get from http://panopticlick.eff.org/ - very curious!
I'm one of those "address-hiding security" fans - I've architected and deployed more than 7 million (currently operational) IPv6 nodes, 100% of them in RFC 4193 space. We have many layers of security. Link Layer Security, Application Layer Security, Firewall Security, IPsec Security, App Transport Security in addition to the non-routability security.
I've never understood security professional who turn their nose up at the usefulness of using a non-routable IP address in your environment. It's always seemed self evident to me, that putting your resources on something like "192.168.1.5" - on an internal network, in addition to all of the other steps you take, would be yet another layer of defense that makes an attackers life difficult. And, in an enterprise environment, I would rather optimize for security than ease of two-way communication with external entities.
Do you really NAT all those meters though? It seems much more likely to me that you only have one or two specialized ALG's running.
One to many NAT really makes an attackers life easier in a lot of ways - at least as far as computer networks that support active users. NAT makes it much easier to hide from flow analysis and IDS and the proliferation nat traversal and tunnels to escape NAT make it much harder to spot rogue traffic. Lets not forget the classes of attacks that private v4 space has eased like DNS rebinding and home router attacks.
It's interesting, the only network I knew of that was ip6, aggressively secured and that many nodes is DISA which definitely doesn't allow any public network traffic - and yet uses global address space.
Once again - "addressability != accessibility". I think the benefits of being able to reference the host even if for abuse tracking, or netflow cross-correlation, etc. - outweigh the obscurity advantages of NATs.
If I were concerned to have a diode-like gateway, I'd get a stateful firewall, or on cisco boxes, configure the reflexive ACL. It comes for free with the base code, IIRC.
This all said - each individual network's mileage can vary, so we could argue till dawn - and I think we'd need to agree to disagree on the matter of the "security of NAT" :) If it makes someone sleep better - I think it's served its purpose. Much like throwing away the soda bottle before boarding the plane.
