They probably just have a whitelist of user agents that they have verified HTML5 video to work well on... If it's anything they don't recognize they serve flash.
I'm not sure if this is what you're referring to, but they also don't allow you to embed a custom HTML5 player, just Flash. So, if you're a content producer or platform that wants to use your own player, your only option is to embed a SWF.
The irony is that I'm pretty sure the reasoning has security in there somewhere.
The irony is that I'm pretty sure the reasoning has security in there somewhere.