Fair points. Note that all wallets have this exact problem too :-)
Which is another way to say that p2sh web wallets have the same problem as anything else
(barring offline ones).
Wait - that is definitely not true. :-)
Granted, you did identify that for one type attack, P2SH doesn't fully protect you. But you're leaving off the far more common cases where P2SH doesn't have the same problems as standard addresses:
For active attacks, like you described, you're right, P2SH has the same vulnerability as standard addresses. But as I mentioned, the second machine in the 2-signature process can audit, enforce spending limits, introduce delays, do additional confirmations, etc. Although this is not a panacea, its something you can't do with standard addresses.
For idle attacks, which is what we mostly read about these days, P2SH is much stronger than standard addresses. With standard addresses, hacking a single key system and stealing a single key gives you full access to the entire address, and you can steal the money at any time. With a multi-signature address, you get nothing from doing this.
Mike