Would security be significantly improved (or at least only really require trust of blockchain.info) if a username/password pair was also required to even get the encrypted private key?
Maybe, but that only takes out one of five attacks. The remote server still has access to all your private data, your backups are still weak, and plugins can still access everything.
Blockchain.info is also behind CloudFlare, so you have to trust them too.
Blockchain.info is also behind CloudFlare, so you have to trust them too.