Hi Andrew,
These questions can be tricky…we’ll have to look at some binary numbers, especially the 2nd and 3th octect:
2nd + 3rd = 00000000 00000001
wildcard = 11111110 11111110
So the only bits we care about are the 8th bit (has to be 0) and the 16th bit (has to be a 1).
Once I apply your access-list on these addresses:
10.0.0.1
10.0.1.1
10.1.0.1
10.1.1.1
10.2.0.1
10.2.1.1
Then here’s all that is left afterwards:
10.0.0.1
10.1.0.1
10.1.1.1
10.2.0.1
Let’s look at all addressses’ 2nd and 3th octet in binary:
10.0.0.1 = 00000000 00000000
10.0.1.1 = 00000000 00000001
10.1.0.1 = 00000001 00000000
10.1.1.1 = 00000001 00000001
10.2.0.1 = 00000010 00000000
10.2.1.1 = 00000010 00000001
Now take a close look at the 8th and 16th bit of each address…if the 8th bit is a 0 and the 16th bit a 1 then we deny it. this applies to:
10.0.1.1
10.2.1.1
Everything else is permitted. This explains why you see these results.
Does this help? 
Rene