I think either it is best to leave Web Profile mostly alone (and maybe prune it) or use it as a more effective replacement to Full Profile (and basically treat the Full Profile as mostly legacy).
I would like to see the latter option. Speaking with my Piranha Cloud hat on; we're not looking forward to implementing things like the Application Client Container, EAR support, and some of the more obscure aspects of Corba and EJB2 and whatever else still lingers in EJB-full.
Moving at least Concurrency and Authorization to Web Profile (for Authorization, perhaps for simplicity make it a sub-spec of Security), and perhaps a Messaging lite (Messaging with only the newer, simplified API) and Mail, would make the Web Profile essentially the Legacy Free Profile that has been talked about before.
When Concurrency absorbs most of the still useful EJB-based services in an CDI version, EJB-lite can be safely pruned from the Web Profile, IMHO.