Sample how one-time signature works
Perhaps it helps with a short sample. Assume we are in a world where you do not need 384-bit security, but only 8-bit security (to make the example shorter). And I'll use a binary, not a ternary example.
Your private key consists of 16 parts, 8 for each bit of security (so you have 8 parts to reveal for a bit that is 1, and 8 parts to reveal for a bit that is 0).
You first create the bundle hash of the bundle (assume we get 11000001). Then to prove that you are the owner of the key, you reveal the first second and last part of the one bits, and the third to 7th part of the zero bits.
As a consequence, 8 bits of your 16 parts are now revealed, and everybody (you as well as everyone else) can use them to sign a message with bundle hash 11000001 from your address.
It is also worth noting that for one-time signatures, the only way to prove that you have a part of the key is to reveal it. Unlike normal public-key crypto (which can be broken by quantum computers), where you can prove that you have a key without revealing any part of it.
now about your assumptions
First one is correct. You will reveal exactly half of the parts, since every bit of the bundle hash is either 1 or 0 (it cannot be both and it cannot be neither). The parts you reveal follow directly from the bundle hash (so if you have two bundle hashes that both have the same bit at the same position, you will reveal the same part of your key). You reveal less "new" information if many bts are the same, and completely other information if all bits are different. As you cannot control the hash (except bruteforcing until you get a hash you like), the part you reveal can be treated random.
Your second assumption is also correct. When you change your transaction (bundle), the hash changes, and therefore the parts you reveal change (for every bit that changes in the hash)
Your third assumption is also correct. Count the bits that are different in the hashes. If your new hash is 11000011 and your old hash wa 11000001, you will reveal one more piece of information (since one bit is different) and have afterwards revealed 9/16.
where is the fallacy in your scenario?
All the steps in your scenario can be performed in theory. The problem is that there are 384 bits, so you will have to try a lot of times (2^384 times to be exact) until you find a bundle that has the same hash (all bits the same, and therefore you can sign it without revealing more information). So while it is possible in theory (just like it is possible in theory to guess seeds until you find one that has 1Giota on it), the time is longer than the universe will exist (even if every atom in the universe was a computer that worked on your problem).
why is it good that your scenario does not work?
Assume that your scenario would work, and you could sign a second transaction without revealing anything (in other words, sign a second transaction using only the information that is already public). Then not only you could sign that transaction, but anybody else, too.
As it is now, you are in danger as soon as you reuse an address. But if anybody could find a message he could sign without revealing more data, you would already be in danger as soon as you use an address the first time, making the signature essentially useless.