I agree with your policy, Monte, and said so during the entire transfers policy development process. The pendulum has swung too far to the other side with the recent changes, and I'm sure after a few bad experiences get press, the pendulum will swing back towards protecting registrants' security, through double-verification.
The prior assumption, that led to this policy, was that there are bad registrars out there HOLDING BACK names from being transferred. In response, security was lowered, to permit the gaining registrar's authentication of the transfer request, alone, to trump all.
Problem is -- it didn't remove the "bad registrars"! If they're still present, it means instead of having names held back, we'll have bad registrars who don't do proper checking of consent (e.g. accepting forged faxes as 'consent'), and the losing registrar can't do much to protect their clients.
One 'solution' that might fit the rules (not sure), might be to create "sticky" locks? i.e. if a domain name gets unlocked, it can only stay unlocked for 24 hours or so, and if no transfer request ensues, it bounces back to a state of being locked automatically?? I'd consider that a useful feature, as the act of unlocking the domain, if it happened immediately before the transfer, and was authenticated via email or some other method, serves the purpose of the validation by the losing registrar that the transfer is legit.