If I generate addresses on the fly for each transaction, this mean I have to save the key to each address on the server. For many small business the use shared hosting, security will be a major issue.
If I generate the addresses offline, it solves the security problem.
You just addressed your own concern.
And even if I have an address for each transaction, one can still figure out how much I am selling. I will have to turn those coins into fiat money in some market. So I will have to transfer them to some main address...
Why would you have to transfer them to a "main address"? If you're going to sell them on an exchange like Mt. Gox, it basically works like a mixing service. I once had someone "examine" an address of mine, not realizing it was one generated by Mt.Gox and he congratulated me on my success since he could see that "I" had traded millions of bitcoins.
But I don't see a way to hide my income from a determined "spy".
Conventional accounting doesn't "hide" anyone's income. Merchants looking to keep company business a secret from prying eyes, ie auditors, cook their books.
Bitcoin may be anonymous, but its open ledgiure blockchain may eventually kill it.
This is a common misconception. Bitcoin doesn't require identifying information from you for it to work but it is not inherently anonymous. Many here (myself included) would call its transparency a feature, not a fault.