Is there a similar compact and fairly comprehensive expression of Ripple's security assumptions that could help people reason about the system?
At the highest level -- you are secure so long as the majority of your trust list doesn't conspire. If you have a bad trust list, you can be lied to about what transactions have been applied by the system.
What happens if the majority of each of _their_ (unknowable to me) trust lists conspire?
Something bad must happen, otherwise My partner and I each run a valditator node make my client trust only those. I know they don't conspire against me. Now my client behind them is totally safe! ... or not.
Think about it this way though -- if you have a 51% attack against Bitcoin, you have to make fundamental changes in Bitcoin. If you have a consensus breaking attack against Ripple, you have to remove the conspirators from your trust list.
See my example as to why I don't think its so simple. Shutting out a single high hashpower attacker isn't hard and lots of altcoins have done silly things to accomplish it. But it's pointless because shutting out a single attacker is not useful if the fundamental assumption that a badguy won't have a computing majority is flawed. Likewise, removing conspiring nodes from your trust list is perhaps not all that useful if they were ever able to get there in the first place.