You have to do it on the server. And it's a pain to implement correctly, full of cryptic error codes. I imagine many developers skip it since it's not required by Apple.
The other thing is that you're dependent on the validation server's availability to check the receipts. Apple's got great uptime in this respect (and others), but there have been outages (a big one last September: http://www.ilounge.com/index.php/news/comments/app-store-suf...).
It's a tradeoff, really, that most IAP implementors consider:
Cost of support and loss of goodwill when legitimate customers run into issues vs. loss of revenue from pirates (heretofore only jailbroken phone users) who likely wouldn't have purchased anyway.
It makes fiscal sense for big players with big IAP scale like Zynga to strictly validate. Little players may find it is less critical to the bottom line to be strict about it.
+1
Totally agree, it is actually pretty easy and worth it if you already have to have a server. If you don't already have a server, then it probably isn't worth adding one.
Apple does not require it because its not their job. Its the app developer that's losing money because of this not Apple. They provided a way to do it right.
Probably mostly game apps where the item being sold is purely virtual. It seems to me like the extra cost of validating receipts for that use case wouldn't be worth it.