The most common recommendation nowadays is to just get a hardware wallet. Which in my opinion offer an excellent combination of security and usability. They are fairly idiot-safe, so to speak 
they also need backups.and can be hacked (private key extracted) once the attacker gets his hands in the physical device itself.
The main objective when it comes to securing Bitcoin has been to be safe of online attacks. Hardware wallets are the most secure in this regard, even assuming physical backups. Which are not even necessary, should one memorize their seed.
Regarding physical attacks -- I'm not sure if you have followed Trezor, but they have a great track record of thwarting physical attack vectors. In other words, the physical extraction of private keys from a Trezor is currently a purely academic question. The many eyes principle has worked exceptionally well in this case. I reckon that Ledger is in a similar position, however I don't follow them quite as closely.
Even should an attacker get their hands on your wallet seed, there's still the user defined passphrase to break -- which in terms of complexity can be that of a brainwallet. So the security of a hardware wallet is that of a brainwallet -- plus 24 seed words.