[qertoip]

The double spend is only possible against specific counter-party, for example an exchange or a merchant.

For very large value transfers exchanges are expected to wait for 100 confirmations (~17 hours) until they credit balance.

It's all probabilistic.

Finally, Bitcoin PoW is not security theatre, it is just one piece of the complex security system.

[hudon]

The most recent bug (that we know of) that allowed double-spend was in production for over a year [0] (~Sept 2017 to ~Sept 2018). I don't think it is possible to accurately determine the probability of this bug being exploited (because you are right, it is "all probabilistic"), but this inability to determine the probabilities is precisely why PoW is security theatre. PoW has always been painted as a mathematical model of the security of the system (see featured article), but in reality this model is not accounting for the much more realistic attack vectors. Hence it fails to be an accurate model.

If you're just saying that PoW isn't painting the whole picture, I agree with you.

[0] https://bitcoincore.org/en/2018/09/20/notice/