Blob Cache Cache-Control header not added to /subsite/_layouts/images/gears_anv4.gif (for example) requests

I have the Blob Cache setup for my SharePoint 2010 environment and it seems to work great. Requests to files like:
https://mysite.com/_layouts/images/gears_anv4.gif produces a local copy with my configured expiration time (and the file is accessed anonymously).  One request to the server and until the user clears their local cache, the file will load from local disk without even a 304 round trip. Wonderful.

However:
https://mysite.com/departments/_layouts/images/gears_anv4.gif produces a 401 round trip, and and the follow-up 200 response does not contain the Cache-control header.  304 round trips to ensure the file has not changed happens with each followup request for the same file.  Same thing happens with subsites and other non-root-site-collection paths off the same web application.

Adding an applicationhost.config entry for the "departments" subsite (below the oob entry for /_layouts/images)

    <location path="webapp1/_layouts/images">
        <system.webServer>
            <staticContent>
                <clientCache cacheControlMode="UseMaxAge" cacheControlMaxAge="365.00:00:00" />
            </staticContent>
            <security>
                <authentication>
                    <windowsAuthentication enabled="false" />
                    <anonymousAuthentication enabled="true" />
                    <digestAuthentication enabled="false" />
                    <basicAuthentication enabled="false" />
                    <clientCertificateMappingAuthentication enabled="false" />
                    <iisClientCertificateMappingAuthentication enabled="false" />
                </authentication>
            </security>
            <handlers accessPolicy="Read" />
        </system.webServer>
    </location>
    <location path="webapp1/departments/_layouts/images">
        <system.webServer>
            <staticContent>
                <clientCache cacheControlMode="UseMaxAge" cacheControlMaxAge="365.00:00:00" />
            </staticContent>
            <security>
                <authentication>
                    <windowsAuthentication enabled="false" />
                    <anonymousAuthentication enabled="true" />
                    <digestAuthentication enabled="false" />
                    <basicAuthentication enabled="false" />
                    <clientCertificateMappingAuthentication enabled="false" />
                    <iisClientCertificateMappingAuthentication enabled="false" />
                </authentication>
            </security>
            <handlers accessPolicy="Read" />
        </system.webServer>
    </location>

seems to "fix" the problem.  But clearly this is not a workable solution.  I'm missing something for sure

There has to be a solution that allows anonymous access to any subsite or non-root-site collection _layouts/images files, and inserts the appropriate Cache-Control header so Blob Caching works well.

It seemed like the following articles have some relevance but, maybe not.  I do use a wildcard certificate, but this occurred all in the same web application using the same”base” url.
http://blogs.msdn.com/b/kaevans/archive/2012/03/27/what-every-sharepoint-admin-needs-to-know-about-host-named-site-collections.aspx
http://www.sharepointnutsandbolts.com/2009/05/optimization-blob-caching-and-http-304s.html
http://www.sharepointnutsandbolts.com/2009/05/more-on-optimization-http-304s-etc.html