The way you describe this, implies that this “locking down” is a difficult and cumbersome process. It is not. At a minimum, there are two users: a web server user and an FTP user. The web sever user cannot change anything the FTP user creates without explicit permission.

Now WordPress – that makes it easy for you. When you upgrade a module, it logs in as the FTP user and does its stuff. You just enter a password, and do not need to unweld thirteen locks from a steel door. The important thing is., you *need to be there* for the upgrade to write to those directories. That is the key here. Those files are not going to be changed while you are asleep.

If the process of setting permissions correctly for the site is too complicated to understand, then you need to pass that on to another party who does understand. We don’t put sunflower oil in our cars just to avoid having to learn about 15W50 vs 5W40 engine oil; we pass it on to the local garage to sort out.

In my world, setting secure file permissions are easy. The cost is tiny and the benefits massive. If you feel your cost far outweighs the benefits, then perhaps this is something you simply should not be trying to tackle.