It would be nice if pam_nologin could take an option to change the default behaviour. In particular, it would be great if one could specify that pam_nologin should let some particular users in besides (or instead of) root. Also, it may be a good idea to allow one to specify a file other than /etc/nologin to watch. In general, pam_nologin appears to be the only module that can be used to provide a user with some specific information as to why the access was denied. Possibly, instead extending nologin (which already provides some very standard and expected functionality), some other module (may be pam_listfile?, or all of them through a library extension?) could be extended to support customized "permission denied" error messages.
You can already specify different file than /etc/nologin. (Use the file= option.) The second request can be easily worked around - use pam_listfile, pam_access or pam_succeed_if for denying access and pam_nologin only as optional module.