I thought this question would answer my question, but I have applied the following fixes:
.as
Security.allowDomain("*");
Security.allowInsecureDomain("*");
.html
param name="allowScriptAccess" value="always" />
.js
params.allowscriptaccess = "always";
And I am still seeing the ExternalInterface.addCallback method fail locally.
It works on a web server, or in the dev folder. But not in an arbitrary local folder.
Add as a trusted location the folder where your swf/html reside. Right click the Flash Player>Global Settings>Advanced>Trusted Locations.