In 2011 it was really silly to use the webwallets.
However, because blockchain.info (and others) never touches your private keys, is it still as much a risk as many here pretend?
(Provided you use a secure password, of course.)
How do you know they don't touch your private keys? They say they don't, but unless you read the javascript source code every time you access their website, you are taking that on trust. If their website is hacked, the hacker could edit the javascript to leak your private keys/password back to them and steal your bitcoins.
This is a much lower risk than an old style web wallet that stores your private keys. In the blockchain.info case you would only be at risk if you tried to access your webwallet in the window between the site being hacked and someone noticing and taking it offline.
This is correct.
Unless you are reading the code/information exchanged between your computer and blockchain.info (or elsewhere) EVERY TIME you connect and exchange information then you can't be sure things are happening as you imagine and hope they are.
For ANY online Bitcoin service I advise only storing as much there longer term as you are willing to lose completely if something unforeseen (like hacking/dishonesty/mistakes etc.) happens.