You can provision a role with anything via SU24 and then do a merge to all roles who are affected. That can be automated to a one-click per role level.
Yes, we have our own tools to sync the menus and distribute sets of org. levels to sets of target roles.
I hope that by early next year there will also be API's to provision non-org values automatically to open fields in roles or append values in special cases where they should differ from role to role, like movement types and approval keys. I will post the SAP note number when I have it. Then derived roles will not be attractive at all anymore.
But I do also know customers who can live with derived roles and the business processes are harmonized enough that the number of bolted on localizations could be kept to a reasonable number.
Cheers,
Julius