So if they keep private keys (in encrypted form), why haven't they been hacked. It seems like they'd have a shitload of keys and after someone got those they'd have very little trouble 'guessing' passwords against them. Are you sure they keep private keys in their database? Seems like a very big target to me.
You're 100% right. bc.info is not a safe wallet. Javascript/password based wallets are dangerous, and bc.info doesn't have a great track record.