The high priority is making it safe to use, even if your computer gets infected by malware.
I don't see how can that be possible without the use of a "uninfectable" dedicated device to sign the transactions.
I wouldn't even say strong security to non-tech users should be a priority of the reference implementation at all. Leave that to clients like Armory. The reference implementation should focus on the protocol, IMHO.
Yes, I agree. However, prominent Web sites such as bitcoin.org should be carefully written with a new user in mind. Perhaps a word of warning about the blockchain size, and a list of available alternative thin (and thick) clients. Online wallets should be mentioned, but not listed/endorsed due to trust issues.