Has anyone implemented a security model where they grant access to all admin tasks except security?

I did the same thing at HC2. It wasn't too bad... I'd create a power user group and leverage the administrator group. Just restrict the system security roles to administrator and the application security roles to Power User. Basically the IT team was assigned to the admin group and the finance ""True system admin"" was assigned to the power user group. The finance admin could do everything but access the system tab.