Just to say that I've read through the tracker issue, and I think your new proposal sounds sensible. In particular, I think its important to retain the "Download and run" ability with the official packages, so including the vendor directory in these packages is a good idea.
One thing I would say is that there needs to be very clear documentation about which composer commands to run when installing/upgrading, so that you always get the correct, fixed versions of libraries, and don't accidentally upgrade to untested versions. I also assume that there will be separate commands for installing dev tools (Behat, PHPUnit and so on)?
The only thing I'm not clear on is the core vs plugins issue, could you summarise why we'd support it in core, but not in plugins?