It seems to me that you have very high requirements and a very wide range of tasks for one "box".
Here you need to collect the whole system from different means.
What exactly does Cisco ASA not implement here, with the exception of its functions such as "AD user authorization" and wifi?

Cisco - ASA and ISR does not implement all features.

Asa, of course, is useless in this scenario, but why didn’t they arrange ISR?
There is local wi-fi authentication (why?)
There is balancing, and very intelligent - PfR, this thing is able to save the quality of service for certain (specified) traffic classes when the connection is degraded, and not just when the connection is completely down. Otherwise - crutches based on EEM with a lot of restrictions and a minimum of intelligence. In the simplest case, ECMP is stupid.
Filtering by URL, IPS and others - to SM modules.
VPN is not a problem. DMVPN for site-to-site and anyconnect for RA. Flex can be customized.
“Quick detection of bottlenecks” - I did not understand the question. But PfR, together with QoS, can do a lot in automatic mode.
"improving the performance of services that require high bandwidth, such as VoIP and videoconferencing;"
Easily. Again, PfR, which allows you to specify requirements for different traffic classes and automatically selects a route depending on the satisfaction of requirements, plus QoS at the exit.
QoS;
Easy. In addition, the ISR has, as far as I know, a unique "per-tunnel QoS" feature. The bottom line: the central office will know about the channel width for each of the regions, and will be able to dynamically apply QoS policies for each region.
"Traffic shaping - so that one employee cannot occupy the channel when there is a queue, but can use the entire channel when, for example, he is alone in the office or when the channel is not fully occupied and there is no queue."
You called it shaping, but in fact this is just the principle of QoS prioritization, which has nothing to do with shaping.
Or is it implied that the shaper is hung up, corresponding to the width of the provider channel, and there are already classic queues in it? This is standard practice.
That is, in fact, your target is ISR G2, which meets all the requirements. These are brunches. In the center, it is better to put ASR1k on terminating VPN channels, since they are relatively inexpensive - there are too many peers for ISR. All of the above functionality (except for filtering URLs and viruses, which is implemented without problems by a separate piece of hardware) is also available on them.

How to set up application filtering on Cisco?

I want to drop the topic.
I read a bunch of manuals and came to the conclusion that the Cisco ISR / ISR G2 is for me.
But did not find the answer to some questions.
1. authorization of users through AD - I don't want to release unauthorized traffic, I don't want to manage multiple user bases.
2. it is highly desirable to block traffic from all applications except those allowed.
3. reporting and analytics - to see in a general way that people are in the main on the social. networks go, who downloads the most, what type of traffic, etc.
4. repelling attacks - I installed a software solution that showed that they were really trying to hack me, picking up passwords, etc. But at Cisco, this service costs a lot of money (relative to my budget).
Maybe consider the ASA + ISR option?