So if they keep private keys (in encrypted form), why haven't they been hacked. It seems like they'd have a shitload of keys and after someone got those they'd have very little trouble 'guessing' passwords against them. Are you sure they keep private keys in their database? Seems like a very big target to me.
On many occasions in the past people that have used weak passwords have had their blockchain.info wallets emptied by hackers, and those with strong passwords have had their blockchain.info wallet emptied by malicious browser plug-ins.
It happened right in front of me once:
https://bitcointalk.org/index.php?topic=602250.0
You can see here (from the https://blockchain.info/wallet webpage) that they are still storing the encrypted private keys in their database:
