Another option could be.
Split the JAAS configuration portion of the security subsystem into it's own schema. Reference it from both the as config schema and the security subsystem schema and modify the portion of the security subsystem that operates on this to be able to parse these elements when defined in the security subsystem AND within a security realm. That way instead of referencing the domain we could just define the login module stack directly in the realm.
Using JAAS in the host controller has been problematic as well so would solve that problem for some users.