I notice that one of the two sendmail processes is using the /etc/mail/submit.cf as its configuration file. But this file doesn't have the DontBlameSendmail option enabled.
Wouldn't it be a good idea to add the define(`confDONT_BLAME_SENDMAIL', `GroupWritableDirPathSafe') option to the /usr/share/sendmail/conf/cf/submit.mc file and rebuild /etc/mail/submit.cf using m4?
BTW, fantastic article and I'm looking forward to reading about SMTP_AUTH. Any chance of you talking about configuring a mail hub to receive mail for multiple domain names?