I guess I could take the matter up with Charlie, but he's not the one who's telling me that there's a security problem with my original design choice; you are. This seems to be getting more confrontational than I expect either of us really intends, so let me try to back up a bit.
Maybe it's the way you're phrasing things, and maybe it's just me, but when you wrote, "Unfortunately you have totally missed the point of the first article", it set me off a bit, largely because it's simply factually incorrect. The point of the first article, by its terms, was how to password-protect a subdirectory of an ibay--that was the stated "problem" to which it provided a solution. What "how-to" was in that article, I didn't need--I know how to make a custom template fragment, and I know how to incorporate the appropriate directives in httpd.conf. Yes, there were two sentences identifying purported security issues with using .htaccess, and one phrase (part of those two sentences) stating that .htaccess was disabled by default in SME Server. Perhaps those two sentences were
your point in providing the link, and if so, I did miss that. Certainly if I'd read more carefully, I might have noticed that information the first time. If you'd posted, ".htaccess is disabled by default in SME Server for security reasons, see
http://wiki.contribs.org/Htaccess for another way to implement it", that likely would have helped as well. I've since made some edits to that page that I think clarify the fact that .htaccess is disabled, and discuss some of the broader applications of the page.
I can accept that there's a marginal security gain in disabling .htaccess files system-wide. I haven't yet found evidence that it's a significant gain--my web searching hasn't found much at all discussing security problems related to enabling .htaccess files--but since it can remove some control over Apache security from the admin, and give it to users who may not know what they're doing, it's reasonable to believe it would be more secure to disable them, and retain security control with the admin (who hopefully knows what he or she is doing).
But at the end of the day, whether I believe it's a security issue or not, it comes down to the fact that .htaccess is disabled by default. To do the kind of access control I want to do, I need to either add a config database entry or create a custom template fragment, and either of those would need to be (or, at least, should be) manually removed if/when Joomla is removed.