Thanks for your reply. I think I understand from this that assigning a system role now means that they have that role in the system context, but that it does not cascade down to the contexts below.
I'm not sure how cohorts helps plug this gap. Cohorts are a way to assign a whole bunch of users to a course, but what I want to do is assign a user to a whole bunch of courses. As far as I can tell, the only way I can do this now is to assign a category-level role, for each category in turn.