I've got a "workaround" for this issue. Still, it requires a hard-fork.
It's quite simple, just disallow two consecutive PoS blocks and lower PoS trust to match PoW (1).
There's no way PoS-only miner can orphan a single block.

PoW miner forking/orphaning still requires a substantial percentage of network hashing power.

However, this way we're essentially removing the intended purpose of PoS (checkpointing). I was unable to come up with any suitable solution that also preserved PoS checkpointing functionality - IMO it just can't be done (the right way) with current hybrid PoW/PoS design. In PoS-only system - no problem. But with hybrid chain it's just one hell of a mess.

I think I'll have the implementation ready soon (in 1 day methinks).

The only issue is deciding on the blockchain fork date. It should be fairly soon, but not too soon as we should give a majority of the network time to upgrade. How about 1 month?