Changing your subnet mask to 255.255.0.0 should not work if the network is configured correctly.)
Each IP address represents a 32-bit binary number that identifies the network that a node belongs to, and identifies the node. The subnet mask determines what the length of the network portion of that ID is. The broadcast address is the highest IP address in the range.
For my example, I'll use the network beginning at 192.168.1.1 since most people are familiar with it.
A standard /24 network using the subnet mask 255.255.255.0 has a broadcast address of 192.168.1.255.
By changing your subnet mask to 255.255.0.0 you are now on a network whose broadcast address is 192.168.255.255
Now, there's an age-old argument that ensues here about terminology. Most people will define a broadcast domain as all nodes connected on one side of a router. So any devices connected to a switch (since it's not a router) would be in the same broadcast domain as defined by CCNA, etc. HOWEVER, those definitions also assume that all of the nodes connected to a switch are intended to communicate with one another on the same network and share the same subnet mask. That's a huge assumption. If you intentionally give them different subnet masks, it segregates broadcast traffic. Yes, you can still sniff it out, but for general purposes it's simply dropped by any NIC that uses a different subnet mask.
I also get what you're saying about 1:1 relationships between VLANs and subnets and I don't disagree. They both accomplish essentially the same thing, VLAN at layer 2, subnetting at layer 3.
However, my suggestions still remain. I prefer to do QoS at layer 2 (since it's often required there anyway--many VOIP phones work at layer 2 and do not have IP addresses). I implement security rules mainly at layer 3. Especially in networks that use DHCP this is far easier to maintain than MAC filtering. I'm not suggesting that you don't have security at both layers. I would implement an example network like this:
10 IP cameras with Static IP addresses connected to a single dedicated PoE switch using addresses from the 192.168.50.0/24 space. (255.255.255.0 subnet mask.)
10 VOIP phones (no IP addresses), 5 workstations, connected to a second switch using DHCP addresses from the 192.168.1.0/24 network. Phones use VLAN 10, workstations use VLAN 150.
Both switches connected to UTM device (wireless router) with internet connection.
Wireless users are assigned a DHCP address from the 172.16.0.0/24 range (Easier to recognize in logs) with client isolation.
The UTM device acts as a firewall/router. It prevents communication between the cameras and the workstations. QoS is set up for VLAN 10 to ensure quality of service for voice calls. Bandwidth quotas are set up for VLAN 150 to control workstations.
For simplification, I'm not including any servers, VPNs, or DMZs.