CTR is the simplest, easiest to analyze and least error-prone mode there is, and doesn't require padding and allows for random access. The added security of other modes is mostly fallacious, and ones where it isn't are way too complicated for me to feel comfortable using them.
I don't know what your issue is with encrypting outside of authenticating is. If nothing else, it leaks authentication information which one may want to keep secret, and this is one case where I'm agreeing with Practical Cryptography, just making the recommendation more straightforwardly. My simplest explanation for this is that doing encryption on the outside allows for clean layering of the software implementation, where the other way does not.
RSA exponents more than 2 are at least twice as slow, which should not be simply ignored for speculative reasons. Encoding issues should be dealt with by using a good encoding, which is a dangerous issue in any case, as I explained.
I might start recommending GCM in the future, after more chips support in and I've spent some time analyzing its implications. For the time being simply using a secure hash and CTR is the reasonable conservative approach.