I agree. That least common denom. theory makes the weakest link in the chain your highest possible security posture. Here's a thought from an architectural standpoint. Don't just use another AP. Get a full wireless router, and put them on a different subnet. You can dumb it down to WEP and still use the same radius server for auth. Or, since it is only 3 devices, don't worry about radius and just set them up on the dumbed down router using MAC filtering as well. Many routers now also come with a nice little feature that disallows anyone connected via the wireless network from accessing the control panel. This makes it so that only those with physical access to your network via the wired LAN can make changes to your router's settings.
Hope this helps,
CISSP, MCSE, CSTA, Security+ SME