I don't like having SLP pre-load, but if I don't then 20% of the users thing the plugin doesn't work. In the current mode less than 5% of the sites have problems.
As far as making a copy of our own version of the AJAX listener, that is NOT a good idea. There are a TON of threads about not doing stuff like that, including your own copies of jQuery, and a whole slew of other bad practices. Yes, WordPress has security holes but it is much tighter than most other web apps and the core team works hard to close those holes where possible.
As for securing the login I've recently been adding Google Authenticator to all my client sites and my own sites. Not perfect but much better than a wide-open password based access. Especially when you have to leave the AJAX listener open.
BTW, if you REALLY want to get creative with security, create a list of valid plugins in the header of the AJAX listener and filter it through active plugins. If the plugin is not on the approved list, drop to a 404. That is way beyond the scope of this plugin but may be a cool idea for a "harden WP" plugin. That along with moving wp-config.php and making sure ALL references to the *thumb php files have been updated (there is a well published exploit out there that lets hackers get into your command line if you have the older *thumb code).
Thanks for sharing the info.