The same possibility exists concerning pool operators, right now. Slush + Deepbit have more than 50% of the computing power. BTCGuild is also huge. They wouldn't have much trouble to coordinate some attack, if they wanted to. But if even them, which only get a small share of what is mined under their pool, don't have an incentive to double-spend, imagine a botnet owner who would get 100% of the mining returns if doing it honestly?

Double-spending through a >50% attack is not cost effective. The incentives to be an honest miner are much stronger.

If we should worry with a >50% attack, that would be a politically-motivated one, with the intend to pause the network for as long as they can at the expense of some taxvictims. And even that is not very likely either.