Well, right now, if one person loses their laptop (happens all the time), or if one student gets 30 seconds on an unattended laptop, then everybody will know the "secure" key and can connect to the network at will.
Right, but I think the point of view of the MS MVPs is that system-loss or unauthorized-user scenarios are both issues that can be solved with built-in Windows security, a trusted-platform scheme, or by simply promoting good computing practices (locking the computer when you step away from it, rotating your passwords periodically, etc...), and don't necessarily indicate some kind of Windows security flaw or design oversight in the OS.
Their assumption is that any person using a computer connected to your LAN is authorized to do so, and that there already exist a variety of methods to prevent unauthorized users from gaining access to any system. From Bitlocker and Truecrypt, to simple Windows passwords, there already exist ways to keep people out of Windows, and the network that the OS is authorized to connect to.
The problem is twofold. First, a Windows client machine isn't the ideal place to build a defensive layer against intrusion to your LAN; second, WPA isn't really designed to make a distinction between valid keys possessed by authorized and unauthorized users. From the OS point of view, any user that is behind the keyboard and has made it past Windows user authentication, Bitlocker, etc. is assumed to be an authorized user. From the router point of view, any user that possesses a valid key is assumed to be an authorized user.
To me, the problem is similar to the issue of protecting a video stream from movie pirates. You can encrypt the movie data to make it useless to thieves, but at some point you will need to decrypt it and display it on the screen. The point where that occurs is a weak spot, and it's usually the first place a thief will look to intercept an unencrypted data stream. Hackers have discovered a million ways to decode movies, thwarting every scheme the movie industry has created to prevent that from happening. Even making the keys unique for every single movie, and strongly protecting them inside multiple layers of OS abstraction and hardware protection, hasn't succeeded from preventing those movies from being decrypted. All it takes is a single weakly-protected piece of hardware, and once people know the key - its game over. The problem here is similar to yours - the problem isn't so much that the layers of protection of the wireless key that are weak, its the fact that only a single key is being used to protect the data. Like Hollywood which relies on a single commonly-shared key to decode movie titles encrypted on discs, you are relying on a single commonly-shared key to protect access to your school's LAN. You can obfuscate and encrypt this key to oblivion, but at some point the OS needs to derive it and use it to access the network.
To the best of my knowledge, the only thing that has reliably worked, are systems designed using two-factor authentication. When NOWHERE on the local device exists the full solution to the encrypted data, a second factor is needed to decrypt. This can be an authenticator key, a smart-card, or some hash residing on a remote server somewhere on the net. Without that second factor, even if the local key is discovered by the user - the encrypted data or the protected network, is useless.
http://en.wikipedia.org/wiki/Two-factor_authentication
In my opinion, it is not possible to solve your problem by changing they way keys are stored in Windows. You can obfuscate the keys, but because Windows will eventually need to decrypt that key and connect to the network, there will always exist a way to bypass that protection and obtain the protected key. If your wireless router is designed to connect to an open LAN protected only by the single wireless key - its game over.
