As far as attacking, yes you do need some stake at least initially to attack a poS coin, so it's not truly free. probably you would need something on the order of a 1% stake. But on the other hand, it doesn't necessarily mean poS will work at larger scales; many have serious concerns about the security model. You are right that the concerns are theoretical as of now.
It would need significantly more than 1% stake. Again, I am thinking in terms of DPoS, as I don't have a thorough knowledge of the alternatives.
Whether the security remains as robust with scaling remains to be seen, but that is only possible when it gets big. I haven't seen any good theoretical attack vectors which may compromise it on a bigger scale. In case it does, the developers have to look at improving the solution, like DPoS itself was an evolution through a series of steps.