1. Improve the security of a Drupal install by keeping all files private, except for an index.php, no module or include files should be accessible from a web browser The biggest problem with this approach will be the install of contrib modules that add css files. IMHO drupal can be awkward for custom styling of modules. There is a chicken and egg problem of which css files should come first. Until this is solved there will be holes in the suggested approach. otherwise, in principle +1 for at least enabling such installs
This will not increase security. well not quite right there. It is a common sense security thing. There are plenty of misconfigured|not allowed to use .htaccess|add you favourite sites out there.
htaccess is an apache idiom.
If .htaccess can not protect you, why would this? Simply because you won't have access from the web server to those paths, so your config et al directories are safe. If they are safe, you don't need to rely on extra filtering.
And how would we ship the tarball...? Untar this half below documentroot and index.php to documentroot...? /me shakes head
The majority of installs are either untarred locally or the people have shell access. for both of the is valid untar copy to "system" area with this you will add copy to the "web" area now system and web are one and the same actually both world views can coexist and it is a copule of lines patch, unfortunately I can't find this in the forums (I posted something like that in the summer)
You need to convince me that the current is not good. I tell you, this is not easy. The current is good, it can be made better. What the defaults should be is another matter - probably highly flameable.