I don't understand why you are so fixated on choosing your own private key that is memorable. Why not instead generate random private keys until you generate something that you find memorable. That is far more secure than you choosing something memorable.
These are just ideas and this is just a discussion. I'm the type of person that delves and delves until I find myself answering other people's questions on whatever it is I'm investigating.
A random private key will never be as memorable to me as something I create myself. So there's a trade-off either way you go.
It can be stolen the moment you decide to spend the coins and have to enter you private key into some software. Even if you are keeping the coins in long term storage, at some point in the future you will want to move those coins out of storage to do something with them. Whenever you do that, you expose your private key and it can be stolen.
Similarly, the same argument can be made for randomly generating a private key and keeping it on a storage medium that never touches the internet.
There is also still a significant privacy loss even if you are only using that address for receiving. For starters, everyone that sends you money will know how much money you have. Furthermore you are reducing the privacy of everyone that transacts with you because anyone will be able to look at their transactions and immediately know who they were paying and how much.
Once again, you're assuming I'm reusing this public address over-and-over again or that I'm advertising it. This is my storage wallet and not an address for people to send me funds. True, if I bring them out of hibernation it increases their vulnerability. Then I go down the path of p2p wallets, etc and find a new cold address to send my savings to.
At the very first moment when you visit directory.io to find the page number of your offline created private key, it will be very easy for the admin of the page to steal your funds immediately PLUS your offline generated key is not offline anymore. There is no need to repeat the visit, because the attacker (admin) can simply check all visited directory.io pages and check the balance of all private keys on that very page.