The STBs are well behaved DHCP clients, They will operate on any subnet your wish to assign. They will even operate on a 172.16.x.x (class B private).
VZ told you it was not supported because their CSR scripts are not designed to deal with a non-standard subnet. If you call for support, one of the first things the CSR will have you do is a hard reset on the router which will put you back on the 192.168.1.x subnet.
Your best security is #2.
Level 3 is useless. Wireless MAC addresses are transmitted in the clear and are easily viewed with a wireless sniffer and then spoofed.
Level 5 is pointless. If someone has gained access to you network, the router can easily be found with a port/IP scanner.
And no, you can't assign the STBs static addresses.