Moxie's laid out very clear reasons for why he uses Google Play and discourages other people from building it. You may not agree with him, but he at least has what I think is a coherent security model that he's sticking to.
Really great discussion on it here:
Namely, he trusts apps signed with his signature (a process he manages using his own airgapped system) and that's it. *You* may not hinge your trust of the application on his signature, but he does, and he wants ideally every TextSecure install to have it.
Both threads above are from before the CyanogenMod deal. To make that happen, Moxie's team built a secure self-update path for the app, which removed most of the barriers to requiring Google Play.
The other main barrier is push delivery, which right now uses Google Cloud Messaging. High quality push delivery to a kabillion devices is very hard, and not easy to replace. However, Moxie has encouraged people to take advantage of the server's WebSockets support, and to build an option for that into the client if they want to remove the last barrier to Google support -- while warning that WebSockets delivery will not be nearly as good as GCM-based delivery.
I was talking with a friend about this over the weekend, and I think that the push that's happening for fully reproducible builds -- where every build produces an identical binary with an identical hash -- would resolve some of the issues Moxie has.
Then, Moxie can sign the hash of the binary, and others who build the source code or get binaries from other places can verify that hash. That still requires some tooling or verification UX, and for builds to be reproducible by other people than Moxie, but it could make a difference.
-- Eric