How would you steal it? If you register a name of somebody else before he does, is as registering a domain which somebody wanted before he does. Nobody prevents this and I'm not sure the service should take this into account, as this could not be prevented.
If somebody registered a name, you want to steal, at the moment the only way to redirect to your wallet is to change the bitcoin hash within the database. And this should be prevented by the system of the service (general security algos, encrypted db, etc).
And deleting the name of somebody else, is not possible if you dont know his password. And if you know it, its like you know the password of his truecrypt wallet container. Weak password protection. But even this, the service can't take into account. Within the service the password is atm "secure", in a way what up to date hashing/encrypting systems offer. And if you find a leak within the code. Feel free to send a patch or just hint it.

If you have another way in mind, please tell me. I really want that kind of feedback.