There has been quite some progress in this area since this thread was originally discussed.
Here is a quick write-up regarding what I consider to be best-in-class security for web-based clients:
https://ripple.com/wiki/User:Justmoon/Secure_BookmarkletNote that the document above deals only with the code delivery problem (i.e. the server can send you a version of the client that steals your keys). This seems to be the key issue that web wallets need to solve.
Note also that a web client like this actually provides
better security in this particular area than a downloadable wallet like bitcoin-qt, because it makes independently verifying the client much quicker and much more user-friendly and it is therefore significantly more likely that any given user will actually bother to do it.