So conceptually, the idea is to still have it manual, but make it just one command that does it all? That seems ok, especially if the micro-steps are still available even if you have to read the script to figure out how to invoke them. So I think you have avoided (in a good way) all the objections of the some-fraction that didn't want merely installing a package to make security-relevant changes to the system.
Attachment:
pgpqMGWTNKOWz.pgp
Description: PGP signature