Wow, thanks a lot for taking the time to write this long response!
Regarding the SD-card: I just did a device reset and then used the card to restore my wallet. This process requires the original passphrase to be entered, therefore I assume the backup is encrypted. Of course the backup cannot be protected against brute-force attacks, so this might be one of the more promising attack vectors.
Concerning the password: I am still waiting for the day that someone uses the concept of the Kingston DataTraveler-2000 (see picture) for a hardware wallet.
sourceConcerning the company itself: It seems they are situated in Switzerland and that they are a spin-off of ETH Zurich. As far as I know, the ETH has a very good name all around Europe and even in the states. When I bought the device for testing, I was a little worried about the appearance of the website. They use a Let's Encrypt SSL certificate without any kind of ownership certification, and there does not seem to be any kind of office address. Possibly this, together with the fact that the code has not been maintained in a while, is caused by the fact that there are only two guys behind it, and they seem to be fresh from uni.
I really hope they are going to take the time to fix these 'issues' in the future and also that they hire some more people. Maybe I will go pay them a visit the next time I'm in Switzerland. If I do I'll report back^^
Currently I don't have all that much time at my hands, but following your guide to a secure wallet is a fixed point on my todo-list.