Agreed on subsystems/extensions being handled differently from deployments. I can't see how we're doing our users a favor by leaving a server running with partially broken subsystems. If a subsystem finds a problem that it can live with, it should log an ERROR/WARN and not throw an exception. If an exception is thrown, that's an indication that the subsystem and thus the entire server is in an invalid state.
The draft deployment API that I'll start a thread on next includes ways for the user to specify how they want things to work if failure occurs during deployment.