I think I got it. I will post it here in the case someone else falls in the same misconception I did.
Looking at the response headers in my regular desktop browser I noticed that the pages which won't load in the mobile app iframe have the X-Frame-Options: SAMEORIGIN set in their response headers.
This option tells the web-browser NOT to load that page in a frame unless the window belongs to the same origin. Since my iframe doesn't qualify, the page won't load. https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options
I had also (mis)understood the goal of the config.xml whilelisting: That whitelisting is places the app can visit. It has little to do with what can be received by the app. My bad.
Its not a plugin and comes along with PhoneGap. So there is guaranteed manitenance and upgrades for every version of PhoneGap.
Great tip, WhizKid747! I've been working with inAppBrowser for the last 2 days now. Exactly what I needed. Thanks again.