I think that the trust model for Google Apps account recovery is wrong. The domain name is a separate asset from the Apps account and the data in it.
The owner of the domain name should be able to create a brand-new Google Apps account for it. Recovering access to an account should be done through another channel (secondary email address, SMS, postal mail).
This isn't practical since any Apps admin account has by definition access to modify/reset all regular accounts belonging to that company/domain, so if you don't use things like wipeouts upon whois creation date modifications, the potential to expose a lot of private data from the former owner still exists.
Maybe “account” is the wrong word. I think that the domain’s owner should be able to create an entirely new “instance” of Google Apps (with separate users and separate data), whereupon the old instance would be detached from domain.
An admin of the old apps instance should be able to get into it to access data, delete it, or attach it to a different domain name.
The owner of the domain name should be able to create a brand-new Google Apps account for it. Recovering access to an account should be done through another channel (secondary email address, SMS, postal mail).