The lack of VIEW DEFINITION permission provides a secondary level of defense if a SQL injection vulnerability is exploited. With VIEW DEFINITION permissions, a hacker that gains access under the application security context could see the underlying proc code. This knowledge won't be a big deal if no permissions are granted on those objects but will facilitate intrusion if the account also has permissions on those objects.
I think a better approach would be to deploy and validate using a privileged account rather than the application logins. That would eliminate the need to grant more permissions than actually needed for application execution.