"for some reason ansible devs think storing a vault-password in a plain text file is secure" – They give you another option. Use the "If executable, it will be run and the resulting stdout will be used as the password" description of
ANSIBLE_VAULT_PASSWORD_FILE. This will be like ANSIBLE_VAULT_PASSWORD_FILE=/path/to/file ansible-playbook … where /path/to/file is an exectuable script that will run gpg -d ~/gpg_encrypted_vault_password_file 2>/dev/null. Not tested because I have not and I do not use ansible-playbook, I have just skimmed through the documentation.