Our "hot wallet" is a 3/3 multi-sig with one of the signers being a physical server, so funds are safe.
Where's the redundancy in this setup? Who holds for instance the backup to the keys used on the physical server?
The only really bad scenario is if all 3 signer servers get seized at the same time.
If just 1 out of 3 is unavailable, the multisig transaction can't be signed anymore. Unless you mean a 1/3 multisig setup, but that creates other risks.