The only difference I can see is that the passphrase is chosen by the user rather than being randomly generated by bitfloor.
This is precisely the difference. By having a passphrase which is selected by the user, having access to the api key and secret key (database dump or otherwise), will not allow the attacker to create phony API requests. The API still generates a strong secret key for signatures which is not user selected.
Previously (and with many current exchange APIs), if an attacker is able to get a list of api keys and secrets, and the exchange does not detect or react quickly enough, then the attacker can simply use the keys to make API calls as if they were you (no intercepting or other complex action required on the server by the attacker). Using a passphrase which is stored using a one way salted hash ensures that even with key access the attacker will not be able to make requests without knowing your user selected passphrase. The use of a passphrase sets up a shared responsibility to secure secrets between the client and the server without all of the required data being stored by our server to make the API request.
That would only work if the data were stored not just in different domains but in physically separate locations.
A database dump would be a complete compromise. Salted hash password or otherwise.
If I were designing an API where this threat was a real possibility I would use a totally different approach.
I would use a public/private key signing system. Similar to how bitcoin itself functions. If someone got their private key compromised that's their own personal problem. However you're only storing the public key so a compromise is completely irrelevant.