The odds of a counterwallet passphrase being brute-force discovered are roughly the same as any Bitcoin private key being brute-force discovered.
Indeed this is not what to worry about. What to worry about, are trojans, rootkits, keyloggers, screen scrapers, nosy coworkers, etc.
Yes. And don't forget fishing. Never google "counterwallet" or you can end up clicking on a sponsored imposter. I learned my lesson after googling "blockchain" a few months ago - I am surprised that Google has not blacklisted this keyword by now.