Sean,
That's the asymmetric problem with identity theft. Companies seem to make it easier to steal the identity (24x7 transfers with 10 minute zone file updates) than to correct the theft (only open Monday-Friday, find the right department, fill out multiple forms, wait 2 weeks, etc).
That just makes it hard to do business period, you need to make it harder for a user to verify who they are. Such as a secret password and a faxed in authorization form or choose your level of security.
I agree rules and processes are important. Instead of calling it circumvention, I would call it a robust exception handling process. Both the intial process of protecting your identity, as well as the exception handling process in the event it is compromised, should be available for both my home domain as well as well-known companies like MS, AOL and AT&T. It should be as hard to steal my domain as it is to steal AOL.COM.
Yes, it should be equally as hard to steal your domain as it would be to steal AOL, MS, AT&T, MCI or any of the larger "world-wide traffic holders"
Unfortunately, there is very little I can do to prevent a Registry/Registrar from giving my identity away without my permission.
Theres alot you can do, you can always complain. More complaints to your registrar about security end up with alot more results. So try that out. -- Joshua Brady