discussed before in this sub-board, more detail to be found there
QR codes are datasize limited, they cannot encode the amount of information in one image that a typical transaction would require. Sequences of QR's are not impossible, but could be unreliable or unwieldy in practice. It would take some time to discover whether the average modern equipment would be up to the task.
Okay, new principle: Never use USB on my offline laptop.
I'm going to buy a new offline laptop which has a built-in DVD reader. (My current laptop doesn't have an optical drive.) Then I can burn a DVD for installing Ubuntu and burn CDs for getting files onto the offline machine. To get signed Armory transactions back to online computer, I can use a camera and OCR software.
That would handle the USB concerns, but remember the principle that goatpig has introduced us to: peripheral sockets of the various types found in computers may conform to one standard at the physical end, but may get handled electronically by an entirely different protocol. Investigate whether the candidate laptop is using SCSI, SATA, ExpressCard, USB, SD or whatever other interface to the motherboard the ROM disk device could use. If so, investigate that interface platform for the types of exploits that goatpig outlined when telling us about USB ports that aren't really 100% USB.
Also, 5cm CD's or CD-RW would be a good way of minimising the wastefulness of this method. Multi-sessioning the disks in pursuit of the same ideal is probably not such a good plan.
The thing is, it's hard to find such a laptop unless it's also a DVD writer too. So that begs the question: Could inserting a DVD/CD into a DVD/CD writer be potentially dangerous? Or maybe this is not really a risk like USB is a risk? In fact, reading CDs/DVDs also begs this same question. Can they do attacks like USB devices can?
Different kind of risk (as you identify) and not as risky at all. Burning information to ROM disks is just not surreptitious, you would (should...) notice. Contrary to my earlier post. Which means I don't think anyone would write an exploit with CD burning as a part of the attack vector, it doesn't make alot of sense.