I doubt that the guru easily "found himself" in this dilemma. Usually the mess is old and passed on.
Best option as the first question to ask is when a system consolidation or upgrade is due, and combine the authorization redesign with that, as testing will happen anyway and if you get if right in SU24 then you have about 20 objects you need to be careful of x orgset groups + special requirements carved out of job roles.
You should not create a monster because of stubbornness. You can also mitigate roles themselves or accept risks. Eg. the owner of a company can partner with whom he wants, and complete all deals from A-Z with or without defrauding himself. His or her direct reports as well if they are active in SAP if they do it themselves. Otherwise clerks follow instructions 9 times out of 10 anyway...
-> Controls are more important than creating a "kaput" authorization concept and monster to administrate.
Cheers,
Julius