1. Terrible because being a single point of failure? If so I agree. But also then, mitigation could be either to be cautious about what that key is securing, or managing a set of keys for specific purposes (although fair enough, we'd be back to square 1 in regards of device engagement 😅 )
With 2. I can't agree more as well. As for that matter nostr is also friendly towards running self hosting setups; that being said, self hosting could also be prone to single point of failure risks, ie, `centralizing' servers at home prone to $5 wrench's 🤔  

 I think since nostr just so many little components, I agree very self-hosting friendly. I've built my own signer and have a private relay (for testing) and so on. Self hosting is not cheap or easy, unless uptime isn't a big deal, so for sure. Anything that is too complicated for the average user to build/run risks centralization imo.