I thought the mini private key format, used for Casascius physical bitcoins should rate a mention here, because it's basically a SHA256 brainwallet... but with a randomly generated passphrase.
https://en.bitcoin.it/wiki/Mini_private_key_formatGiven that the random passphrase length is 22 characters (early version) or 30 characters, the chances of brute forcing it are still virtually nil, but technically, it is less secure than a standard key, in particular because 99%+ of the tries can be discarded after the first SHA256 hash.
I came across my simple mini key generator tonight, and I'm having another play with it.
The naive version uses random() and outputs about 8000 valid keys per second on a single core of an i7-3960X.
I updated it to use the xoshiro256** PRNG, and the speed increases to around 13000 valid keys per second.
Because the generation process requires that the first byte of the candidate hash be '00', on average only 1/256 candidates will be valid, so it's really testing about 3.3 million keys per second.
It's still a massive search space (58^30?), even for a SHA256 brainwallet, and prematurely discarding 255 out of 256 candidates does not reduce the search space... it just makes searching faster. Plus, how many Casascius coins were ever created, and how many would still be funded? So this is really just a curiosity.
The reason why brain wallets are insecure is that they are typically generated in ways that are not truly random. Generating a brain wallet using a random function will not have this problem.
For example, if a brain wallet is a phrase that is found in literature, there are a very limited number of phrases in literature, and the number of candidate brain wallets are many orders of magnitude less than the number of potential private keys.