Thanks for the help. This is Kentico 8.2. Using the security debug I've identified that there's a particular property failing the necessary check. I can see that for each affected node (all nodes at level 1) the CREATE and MODIFY checks are the same except for one property -
IsAuthorizedPerTreeNode - which is true for CREATE and false for MODIFY.
If anyone can help me understand why this is I'd appreciate it. As I say, the user can modify the same page types everywhere else in the tree. This only happens at level 1.