Veldy, if two pools can collude, than so can three, four and more. This risk is inherent to bitcoin design. The only solution to this problem is monitoring and notifying miners in case when pools start to double spend.
Yes they can, but it becomes more and more difficult. Further, I think it unlikely that the pool operators will be in on the collusion as it is clear to me that they would be the most heavily scrutinized after an attack. Thus, an external attacker would have to compromise several pools if they are all smaller rather than one large pool.