It shouldn't be seen as a silver bullet or magic weapon. It would require a smart merchant who deals in low price, high margin transactions and is willing and able to do some risk analysis. Remember credit cards are 0% risk either. The goal for a merchant who needs to deal w/ real time tx shouldn't be 0% fraud but to minimize and manage that fraud.
And that is why the download services that take 0-confirmation transactions are totally safe: bandwidth is cheap, and if a file is stolen like this, they can just simply tell whoever would have been paid that the file was stolen and that they won't be paid for that download. The person who would have been paid wouldn't care either, since to them, the person who stole the file might as well have just pirated it instead of stealing it directly.
Hell, if you've ever downloaded a song at Amazon MP3 or itunes, they don't even bother authorizing the credit card for a few hours. Defeating that doesn't even require you to do something as technically difficult as a normal Bitcoin double-spend!
Double-spends matter to so few people that it's sort of ridiculous. As I've mentioned in the past, double spends only matter if all of the following are true:
1) Purchaser is anonymous. Real life isn't anonymous, since it can be recorded with a video camera.
2) Item is irrevocable/irretrievable.You could buy a video game license instantly, without risk to the publisher, because it is revocable.
3) Transaction is instant.Finney attacks add even more restrictions:
4) Item is easy to resell/you can easily get a refund. Finney attacks don't always work, and unlike normal double-spends where you can try it only when you want the item anyway, you will most likely need to be able to resell the items to make up for your loses when the Finney attack fails. This restriction isn't always true, but it certainly reduces the motivation to steal the item.
5) Attacker is able to pick the time that they pay at, within a few seconds.Imagine waiting to do a Finney Attack at the grocery store. You get a notification to checkout immediately, then some couponer gets in the checkout line right before you do. Or, more likely, as your stuff is being scanned at the checkout, you lose the Finney Attack because another block was found as you were checking out.
As you can see, real life zero-confirmation transactions are already at least as safe as credit cards are to the merchants, and more likely they are several orders of magnitude safer. This is even true of most internet transactions: if credit cards are already good enough for a business, zero-confirmation bitcoin transactions likely are too. This could even eventually include selling gift cards if you are able to convince a retailer to let you revoke the remaining balance of a gift card if the transaction fails (currently, this is a big if, but it can happen if retailers start selling their own giftcards for bitcoins).
Off the top of my head, the only things that I can think of that would need to worry about the Finney Attack are places that sell cash or cash-like items. Mostly, that would be exchanges, but that definition can also include any e-wallet that allows you to withdraw without tying the withdrawal transaction to the deposit transaction (which would be a good idea for e-wallets to start doing; thank you satoshidice for the idea) or without waiting 6 confirmations.
