I've managed domains witha registry lock. It may depend on the registry, but when my boss didn't answer the validation call, the domain didn't get unlocked and we had to wait for the next day's change window (and remind the boss to pick up the phone) to get our nameservers changed.
I'm sure it's still possible to social engineer (it's a human driven process), but there are a lot fewer people authorized to make the changes, and they're probably better trained.
> a more stringent, manual (and sometimes offline)
How is it more stringent? Who's to say the registry (eg verisign) will do any more stringent of an unlock process than the registrar?