I think it is a matter of trust - average users might trust the bitcoin.org client (because it's by far the oldest and most popular) but not trust other light clients not to steal all their money - and why should they?
Perhaps bitcoin.org should host a trusted version of a light client.
One of the reasons why I have been working on getting AES encrypted private keys into MultiBit (it's in test at the moment) it that it helps here.
Imagine a
'rubber hose attack' i.e. someone threatens me and says 'Put a backdoor into MultiBit or we shoot your family'.
When the encrypted wallets goes into MultiBit you can then have:
+ AES encrypted private keys where there is no record - except with the user - of the password.
+ Multiple wallets e.g. a daily use wallet, savings1, savings2 etc.
+ You encrypt all of your private key export files. This is recommended practice - there is a warning message if you export unencrypted.
+ Perhaps you also keep a copy of MultiBit with a wallet on a USB stick so that it is not even online 99.9% of the time.
+ There is an extremely gossipy user base that will flash out any wallet stealing action that occurs.
These elements collectively give an element of protection.
The only time MultiBit could steal your BTC from an encrypted wallet is after you type in your password (so that the private keys can be decrypted and a 'steal transaction' can be signed.).
Say you upgrade to the hypothetical Trojan MultiBit and open your daily wallet and enter your password. You are unlucky enough to be the first person who does this and your BTC get stolen.
You then tell everyone - this will happen virtually instantly. Noone will download the trojan MultiBit. (This is the reason there is no auto-update too actually).
In this scenario your rarely used savings wallets the Trojan cannot decrypt the private keys (assuming you have used a different password from your daily wallet - you have to take reasonable precautions).
It is not perfect but hopefully the low chance of it actually working in practice makes this sort of attack not worth bothering with.