If none of the currently most trusted signers have cheated, I think it's inevitable that they will, as incumbents, be likely to retain their positions as most trusted. So wouldn't you have the three most trusted people permanently capable of colluding and stealing all of the funds on the exchange secured by 3-of-5 multisigs?
Also, no offense intended, but wouldn't the most trusted signers be Jordan and the devs?
So aren't we, in effect, being asked to trust a few known people with our money?
I doubt the lower transaction fees for 3 of 5 multisigs will outweigh the security advantages of using 15 signers any time soon. So I wouldn't recommend 3 of 5 multisigs. It is possible we will see that right when the system first becomes operational, but I expect the network will scale up the number of signers quickly.
Shareholders will get to decide the identity and quantity of signers and can change this configuration at will (for new deposit addresses). If they fear the scenario you describe they will configure the network to protect against it.
Also, I would guess that the signers, being always online, could easily learn one another's ip addresses if they were so inclined. Suppose the scheme is 8-of-15 and an attacker has control of 4 pseudonymous signers. He would need to successfully ddos any 4 of the remaining 11 signers in order to block withdrawals and extort the depositors.
An attacker would try to ddos them all. Let the probability of successfully ddosing a signer be p.
Then the probability of knocking out 4 of 11 is:
Sum from i = 4 to 11: B(11, i) * (p ** i) (1-p)**(11-i)
where B is the binomial coefficient.
With a 20% chance of a successful ddos, that's a 16% chance of successfully blocking withdrawals. At a 50% ddos success rate, the probability of crippling the exchange is 88%.
Actually, an attacker with no signers and a 50% ddos success rate has a 50% chance of succeeding at such an attack.
I suspect most reputed signers will operate within the Tor network, which is very easy to do. Even if they don't use any proxy, determining which node is theirs is a difficult task that only organizations like NSA could hope to have any success at (if they cared to devote resources to it). Therefore, the premise of your scenario, that reputed signer IP addresses will be known, is false.
If shareholders felt a reputed signer engaged in misconduct, a motion could be passed to burn part or all of their security deposit.
Yikes! If the shareholders feel so inclined, can they pass a motion requiring all the depositors' funds to be distributed among themselves?
Shareholders could do any number of things that would destroy their entire investment, but we can be sure they wouldn't be so foolish. When you consider that the market cap is likely to be equal to many years worth of revenue, it is unlikely that deposits will exceed market cap. Even if they did, I don't think it is credible to suggest that the majority of participants would engage in such blatant fraud.