There's always more that can be done. The layers added in the name of security never seem to end. Proxy server, VPN, encrypted LAN traffic, encrypted ethernet cards, IDS (intrusion detection system), ad nausium. It really depends on what you are trying to protect. The usual mistake is physical security. I could plug a "rogue access point" or ethernet tap into your network, and all your security is gone. It's like locking the front door with a dozen locks, but leaving the back door and windows wide open.
Also, real security requires log reading. You need to monitor your network, have someone (or a script) read the log files regularly, and look for surprises and changes. You also need to run regular exploit scans. Putting a lock on the front door is nice, but it's useless unless you check to see if it's still locked and functional.
Double NAT used to be called a double firewall with a DMZ (Demilitarized Zone for those that missed Viet Nam) in between. Servers that needed to be exposed to the internet were placed in the DMZ with traffic controlled by the first router also known as a "bastion host". To entertain attackers, "honey pot" servers were often also planted in the DMZ area. The inside LAN was protected by the 2nd router. If a server in the DMZ was compromised, it would not affect anything on the inside LAN. It's a very good system and works well. Complications with administrative access to the DMZ servers, and dealing with port forwarding using double NAT make setup interesting.
As far as the wireless is concerned, pre-shared keys are inherently insecure. All it takes is one of your laptops or clients with the pre-shared key installed to be compromised, and the key becomes known. Some manufactories encrypt the WPA keys in the registry, but few bother to use a secure algorithm. Some even have it saved in readable text. If the single pre-shared key is discovered, then the entire wireless network is seriously compromised.
With RADIUS authentication, there is no single WPA key. It's contrived for the duration of the connection and not saved anywhere. I can sniff a connection, and extract a single key, but that only gets me on the system for a very limited time. If you value security, do the 802.1x thing and RADIUS server.
Incidentally, I never have much trouble with external (internet) security. Attacks originating from the internet are not much of a problem. Attacks from inside the LAN, originating from compromised laptops and PDA's are what drives me nuts. The boss goes to a hotel with his laptop, gets infected by a trojan horse, and brings the laptop back to the office. I get to spend days cleaning out the mess. If he's had a key logger installed, I get to change every last lousy password on the system. The few that take is seriously (mostly for HIPAA compliance) use X.509 certificates on USB dongles.
Try to think of security in terms of reliability. If a single point of failure happens, such as a single lost password, what would need to be changed in order to re-secure the system? If the answer is change the passwords on a dozen machines or wholesale reconfiguration, then your security model is broken and needs to be re-evaluated.