Here is my up-too-late answer:
Use adp templates for each subsite. We will need to mirror the package templates in a subsite specific place. Either filesystem, or database (possibly the CR with filesystem storage). This way when we get ambitious it will be easy to implement web-based editing of the templates. The users will only be editing adps, and we can disable <% %> for those and any other security features we need.
It won't be easy to edit templates, but anyone who can learn HTML can figure out how to use it.
I almost forget. Use the package default template unless there is subsite specific one.
This also partially alleviates the "I modified some files, how can I upgrade" but only if you only modify the ADPs and the new tcl files provide the same datasource, but its a start.