Also, I am curious if the online wallet breakins we keep hearing are due to the site's own security, or a lapse on the user's part (weak passwords, keyloggers, etc).
I don't think there is a clear answer on this yet.
There has been some discussion about several of the "break-ins" involving accounts with poor password security (same password used on multiple sites, and/or weak passwords).
There has also been some discussion about the possibility of weakness in the smartphone app where the password was stored in cleartext.
I think I remember there being some discussion about the potential for users to have encountered malware that may have captured passwords as well.