How is no password more secure than username+password?
They have configured the laptops to spin up a VPN connection and only speak to "home base" after they go on the network. That means that if there is a local "captive portal" that requires you to enter credentials, you will not be able to use it, because that would require evading the VPN.
(It's a chicken and egg thing. No VPN, no ability to reach the portal - no portal, no ability to spin up the VPN!)
It is more secure because they are ensuring that, no matter what connection you have, any network traffic you send goes through your company's network, your company's controls, and is not subject to interception or manipulation by any other party.
It unfortunately breaks the case of Wireless with a "captive portal," but allowing for that case would lower their security by allowing your machine to talk to arbitrary machines directly rather than through the VPN.
The "eduroam" service that you mention in the comment explicitly states that they do not have a captive portal, but use WPA-Enterprise based on 802.1X:
Does eduroam use a web portal for authentication?
No. Web Portal, Captive Portal or Splash-Screen based authentication mechanisms are not a secure way of accepting eduroam credentials.... eduroam requires the use of 802.1X...
802.1X is the kind of authentication you need to enter to configure your machine to connect to the network, so this case is one that your IT policy explicitly states that they allow:
if it’s set up so that you need a password to connect to the WiFi (and this password is given to you by the establishment) then again, you should be OK
In fact, eduroam appears to be very well aligned with your IT policy - they both distrust the "bad security" imposed by captive portals.
Based on the edit to the original question:
I am trying to connect to eduroam, but I cannot do it using my organisation's laptop. When I use a personal computer, it asks me for a username and password, just as a standard wifi network asks for password.
That suggests to me that your organization's laptop is simply not prompting you to connect to new networks the same way that your personal computer is. This could be because of different operating systems or different policies applied to the two computers. You may simply want to ask your IT group for help configuring 802.1X for connection to the eduroam network; using that keyword will make it clear to them you're trying to do something they allow.
When you first connect to some websites, they require that you give them an email address, or some other piece of data before you can use their service, this page is referred to as a captive portal.
Your company laptop is setup so that when it detects an internet connection, it connects back to your corporate VPN, and then connects back out from there. In most situations, (scenarios 1 and 2 in your question) you can connect to the wifi with a password, or open wifi, tunnel into your corporate VPN, and then connect back out - all of which is done using the service of the wifi you are connecting to.
However, in situation 3 - you may land on a captive portal web page, which requires that you enter some piece of data first in order to connect. However, your laptop is designed in such a way that you must connect to the corporate VPN first. Which means that you can't connect to the VPN because you haven't entered any credentials on a captive portal, and you can't enter the credentials because you haven't connected to the VPN yet.
Hopefully this answers your question a little better than my previous comment. Leave a comment here and i'll update this if you have further questions.
edit: Just to add the reason why a company might have this type of set up is because they can ensure that all traffic passes through their VPN, and allows them to enforce other policies, ie. Acceptable use, etc. Please see @gowenfawr answer for more info above as he has explained it extremely well.
There are already good answers as to the understanding of the policy, but I'm going to talk briefly about eduroam security and connection profiles to make sure that all bases are covered in terms of the answer. I've worked for two universities that offer eduroam and have spent a lot of time working with it.
Eduroam is a global network of universities and other educational institutions that peer together to allow members of one institution access to network resources at another partner institution.
Authentication to eduroam is done through the 802.1x protocol (With MS-CHAP v2 usually the phase 2 authentication, at least in my experience). This is where the AP/Controller use RADIUS to talk to the RADIUS server at the home institution. Assuming all is good, the client is allowed to connect.
Encryption of the wireless packets from the machine to the AP is done with WPA2 (enterprise, hence the 802.1x authentication) encryption.
One of the biggest issues I've seen with eduroam connection profiles is when the operating system submits the logged on user's credentials automatically (this is default in windows 7 and below... I think they changed this in Windows 8). I've also seen an issue where Windows will sometimes try to connect with the machine account, which is not usually authorized by the University (only user accounts are).
Once connected to eduroam, your company will tunnel out the data through their VPN provider. Depending on how the institution where you are trying to connect to has the eduroam network set up, this may or may not work (The one place I worked only allowed some VPNs out while on eduroam, not all).