For the services that instantly credit your account after you deposit bitcoin, are they at risk?
With zero confirmations, double-spends are possible even without having any mining power "on your side". If the service credits your account and allows you to do irreversible things with that credit, then they are at risk. This can be mitigated by allowing only reversible things, banning accounts/IPs who double spend (this is only marginally useful if accounts can be created anonymously), making the only "credit" be dependent on the original tx confirming (as some gambling sites do), etc.
Because I know bitstamp now requires 6 confirmations and others usually require 3 confirmation. I'm unclear why some require 0 confirmation, and why some require so many.
There needs to be some balance of time delay (high confirmations = long wait) vs security (high confirmation = high security) and prevention (if you wait for 6 confirmations before doing anything on your end, it's all-but-perfectly secured) vs cure (you can monitor for double-spend attempts and ban accounts). Different services choose different confirmation numbers based on how many confirmations their business needs, based on factors like these.
Orphaned blocks where transactions are lost are pretty rare. They are rare enough that Bitpay can take payment with 0 confirmations.
You don't need an orphaned block for a double spend to take place. That would argue for accepting 1 confirmation. All that needs to happen to double spend a 0 confirmation is that the service sees a tx that doesn't enter the blockchain in the end (e.g. because you announced it only to the merchant, and announced a conflicting tx to the rest of the network at the same time).
