2) Keep the address and the keys separate until you are ready to spend. Addresses should be digital only and keys should be physical only. Theft would require both a physical theft and a digital one.
The address is derived from the public key, the public key is derived from the private key. Steal the private key (regardless of whether it's in physical or digital form) and you have everything you need to find the public key and the address. You also have the only thing you need (the private key itself) to steal any funds belonging to the address.
As far as securing the private keys on your paper wallets, there are two ways to be reasonably certain that it's secure. The first is to use something like safepaperwallet.com where you buy blanks and you generate and print the keys yourself. As long as you do that securely you know nobody else has access to those keys. The other way, as mentioned by a few people already in this thread, is to use BIP38 encrypted keys. You can use safepaperwallet.com, openpaperwallet, bit2factor.org or the Casascius Address Utility to generate these.
If you're buying pre-printed wallets BIP38 is the best option (other than not buying pre-printed wallets, of course) since you can generate an "intermediate code" derived from your password and the seller can generate an encrypted private key without ever knowing the key or your password. There are 2-factor Casascius physical bitcoins that are made this way, so even if he didn't generate the keys in a secure and private way (and destroy all key material as soon as they're printed) he would have no way of knowing the private keys.