I was trying to extend the LoginForm class. I didn't think to add it to the Page_controller instead. IT should be easy then to just update the template with the two forms. That sounds like a hell of a lot easier way of doing it. I'll try it out on Monday.
Overriding Security.php's $allowed_actions array worked for the Registration form but then failed for all over actions performed by $LoginForm such as "Logging In" and "Logging Out". It wasn't obvious where these are being set.
To solve this issue I eventually created a RegistrationPage class with the form and included a non-custom $LoginForm into the template.
I then set a default login destination in the config like this.
I then fixed up the Securitty.ss template to show a message when logged in / logged out as the default logout action is still to redirect to this template.