As I mentioned above - CoinKite uses something in between with their HSMs. Other than that I don't see another solution for an exchange. (well, in the past exchanges used only "hot" wallets without any safeguards if you want to count that as an solution )

There are some plain wallet services that don't utilize multisig addresses and don't store unencrypted private keys on the server. Instead, they encrypt everything in the browser and then just send it to the server for storing. This is more or less ok, but doesn't let them to provide an exchange service.