An address of a 2-of-3 setup therefore contains the public keys of all three cosigners.
In case of Taproot, it doesn't have to, because Schnorr signatures can be combined into a single signature.
he could blackmail the user with a ransom in order to release the third key, which was foisted by the false software
If you don't know the Script behind your multisig, then don't deposit coins there. Because if you have for example only your key to some P2WSH address, and you don't know the Script, then you don't know, if coins are yours or not (and then, this address could contain any keys at all).
If this is not done, the software wallet can give you fake public keys, similar to the first stumbling block.
If you don't verify the Script behind your address, then how would you know, that the address in question contains any multisig at all? It is a must have, to check somehow, that your key matches a given address.
Because some hardware wallets do not offer the necessary functions
That's why I don't use hardware wallets. I have just another laptop, specifically assigned for handling Bitcoin, and nothing else. Then, I can install anything I want, and upgrade it when needed. Because hardware wallets are usually quite limited, and when new features (like Taproot) are released, then it takes some time, to get it supported properly. But if you use software wallets, then you can just upgrade your client, and even add some additional software, to handle special cases.
you are unlikely to go through the procedure described above over and over again for every address you want to use
That's why software wallets are better: it is easier to upgrade your software, when needed.
Also, you probably don't need fresh keys every time, because you can just use Silent Payments. And if you agree upfront on the way of deriving keys, then you can just increase your nonce, and everyone can derive his Nth key, for the Nth multisig address.
If you are looking for a beginner-friendly option for more security, you should think twice about whether Multisig is really your first choice.
Guess what: we already have the whole network, which is built on top of multisig. It is called Lightning Network. Just open a channel, and use 2-of-3 multisig, if you want, and then apply all rules of LN here. If multisig would be that hard, then LN wouldn't exist. And if you have a proper LN client, then it won't accept a fake public key.
So, to sum up: if you can handle Lightning Network, then you can handle multisig. You don't have to do everything manually, there are many ready to use clients. And if you feel more comfortable with 2-of-3 multisig, instead of 2-of-2, then just change it. Most rules will stay the same.