Third-party alert systems may be a good idea. These might also have faster responses than Bitcoin network alerts.
Big sites, like Google or Akamai have distributed systems that balance user traffic and fight DDoS attacks, so it should be possible to create such system.
Since alerts are signed, there is no need to have trusted "alert nodes". It can be just some cloud service that mirrors and distributes your site geographically. Or a bunch of cheap VPS servers rented in different locations.
Or better yet - a simple protocol and reference library implementation for big bitcoin site owners to serve as alert relays.
Any "bitcoin watchman" can connect to any alert node and post a message. The node checks the signature and relays it to other alert nodes. If the protocol is kept extremely simple it can arguably be better secured than the complex client.
The message can be multi-signed if needed.
The client would have a hard-coded list of alert nodes to randomly check for messages on startup before connecting to other nodes. If the list is sufficiently large and geographically spread, it would be hard to shutdown them all with DDoS.