[...] If the user loses both seeds, it takes 60 seconds + 1 day + 1 day.
I wold like to point out that your times are correct only if the user has a way to know that an individual seed has has been cracked. Otherwise, you must multiply the number of attempts rather than add them.
Edit: Oh, I see that you have already arrived at that conclusion.
You're the second person to point this out after I corrected myself.
You could store hash(passphrase+seedX) in the blockchain so that the brainwallet client can figure out when it has cracked the seed, but that means an attacker also has that clue. Not such a good idea: now an attacker can hunt for hash(passphrase+seedX) matches to discover seeds with weak passphrases, and once they find two different seeds with the same passphrase, they're less than 60 seconds away from finding a private key.