I don't think it's particularly stupid to trust your config file. If a cracker can take control of your config file, you have worse problems than lack of validation of the config file. To put it another way, "unusual values" pulled from (likely root owned) config files are not a very likely avenue of attack.
So you think that config() should just clean up the taint as a matter of course? That seems even more magical than permitting the developer to tailer the de-taint regex to validate the expected values from the external files. If this is what you are advocating, why not just turn off tainting completely?
Sticking in a regexp for every config item might get more tedious than it is worth.
Except that because taint is turned on, more often than not the plugin has to cleanse the taint manually (and using a variety of methods)...
John
