Hi Phil
I can't see any reason why you cannot use object-groups as the crypto access-list is just a normal access-list.
It is not recommended however to use TCP port numbers in the crypto access-list as there is a performance hit with this.
You have a number of options
1) You could use TCP port numbers and just keep an eye on the CPU utilisation
2) You could make sure you have "sysopt connection permit-ipsec/permit-vpn turned off, permit IP in your crypto access-list and then filter more specifically using an access-list on your outside interface
3) If your device is running v7.x of the code you could use an outbound access-list on the inside interface.
You are correct when you say that using port numbers is not supported for nat exemption.
HTH
Jon