Thanks for your detailed response.
Electrum seeds are 128 bit (
http://electrum.org/seed.html), which makes them easier to brute force. If one is successfully brute forced, this surely yields a larger 'reward' for a the attacker than just brute forcing private keys directly, as it allows the attacker the reconstruct all private keys in the seeded deterministic wallet.
Assuming I'm correct here, why would the decision for to make the seed for an algorithm that generates multiple private keys only 128 bit, while the private keys themselves are 256 bit?
128 bits is more than sufficient. There's a reason it was chosen.
Consider that the entire bitcoin network, over the course of the last 4.5 years, has "only" produced about 2
69 hashes. You'd have to do about 500 quintillion times that amount of work to have a 50% chance to brute-force a single 128-bit seed. It's just not feasible.