I added the second check for secret phrase before send money exactly to increase security, so that even if you account is unlocked in the browser you still need to enter your password again.
So can the client itself send money if the wallet is unlocked? Without that additional check?
What worries me most is the possibility of a bug in the client, which would allow the attacker to instruct it to send money directly.
And since the client is already exposed to the outside world through firewall and its IP is known, it can be a really nasty threat.