Some of this is debatable, IMHO.

With any security policy, one needs to identify the enemy.

To stop a casual passer-by all you need is plain 64-bit WEP with some not totally obvious password e.g. ppruNe9734

This gives you very good equipment compatibility and doesn't need a revisit to the router config for each new device.

Equally, one could leave the network wide open and use MAC filtering, allowing only the known clients. This gives the best possible equipment compatibility (because as far as each client is concerned the network uses no security) but needs a visit to the router config for each device to be added.

To stop somebody who knows what they are doing you have to use WPA/PSK, or better. Adding the other stuff (MAC address filtering, SSID broadcast disabled) doesn't add any security because the required data can be picked up instantly by monitoring existing traffic.

"SSID broadcast disabled" in particular is a equipment compatibility nightmare. Many XP laptops will never find the access point thus configured, unless they are rebooted. A lot of gear just doesn't work, or disconnects randomly. My HP 4700 PDA doesn't work at all sime some access points. The latest Draytek 2600 firmware stops working completely if I set this... This method stops the casual passer-by noticing the network, that's all.