This is a reply to http://blog.davidebbo.com/2011/05/thoughts-on-installing-and-updating.html
I think you are wrong.
Everything in this post points out that you were wrong to base nuget on DTE.
The points here do explain "why this isn’t supported today" but it sounds like they are defending the lack of features as a good thing. It is not a good thing.
I sympathize with the lack of a strong foundation upon which to build. (limits of DTE) However, the idea of updating the csproj outside of visual studio point 1-3 and 7 in your post, is a sound idea.
The fact that #7 allows arbitrary code execution is something you will never overcome. As a packager might also automate something which is prevented by a GPO in a corporate environment, or utilize a COM object that doesn’t exist. You cannot solve all problems.