Clearly, using a sentence from a book or similar and adding or replacing characters can make the brainwallet harder to break. Combined with a weird and high number of hashing rounds. Even though keys can be collected in each round.
Speed Optimizations in Bitcoin Key Recovery Attacks gives examples of the passwords the researchers cracked. I think most people would consider {1summer2leo3phoebe to be quite strong.
If you are paranoid enough, you would never use a hardware wallet from some manufacturer. Firstly, the hardware can break. Secondly, the hardware can be manipulated. Not necessarily by the manufacturer, but during shipment (except you buy it directly in a shop without providing your identity). Thirdly, the seed sentence can be stolen.
I don't worry about your First concern, because of the recovery seed. The Third concern is a risk similar to paper wallets, but it's the Second concern that has until now stopped me from getting a hardware wallet. No matter how much the manufacturer is trusted, a hardware wallet is a black box to me, and I can't possibly check how it generates it's seed phrases.
But for a coldwallet, I would claim that a "brainwallet" with a complex passphrase / seed is the best choice.
I wouldn't trust my own memory to be able to reproduce the password after (say) 20 years. Most of my long passwords are used on a daily basis, so they're easy to remember. The brainwallet needs to have a unique password, and if I don't use a password for a very long time, chances are I forget part of it.