"Security groups (which define what IPs can access what ports, similar to basic IPTables firewall rules) cannot be shared between EC2-Classic and EC2-VPC,"
That is no longer true. In December 2014 Amazon launched ClassicLink, which lets you add EC2-Classic instances to VPC security groups.
Author here - Actually, the big problem was RDS EC2-Classic DB security groups, which ClassicLink doesn't help with. ClassicLink certainly is a feature, but it's not one that would have helped with the subset of groups that we were having trouble with.