Hi,
on current project we use authorization group to control access to BPs. We enhanced WebUI to populate authorization group when BP is created in WebUI. We also have external systems that use our custom API to create BPs. Here we can easily control authorization group populated on BP.
I am not a CRM expert but I don't think that business role is a useless object. It's just not suitable for basic authorization check. If I am not mistaken one big difference is that a BP can have multiple roles but only one authorization group. As you are aware there is standard BADI that is triggered after every update of BP. So you could use it to force authorization group based on role but you will have to somehow resolve multiple roles to one group.
CRM also has Access Controle Engine (ACE). My understanding is that this is more flexible concept and you should be able to use it for your scenario to create more flexible access control than using authorization groups.
Cheers