Your statements are generally accurate about how the iOS 4 cryptosystem works. However, they apply only when the applications in question are actually requesting data protection services from the OS. If an application doesn't require data protection, these restrictions won't be enforced. See this presentation from last year's WWDC (the person who posted it probably broke NDA, but whatever).
The Fraunhofer paper states that some types of sensitive materials could be obtained without the passcode. Hence the screaming headlines. But it is just as interesting to note that some items WERE NOT accessible without the passcode, which implies that they were protected using the data protection techniques you described (and as outlined in the PDF).
I think what happened here is that the items that the Fraunhofer researchers were able to access were related to apps didn't require data protection, OR the specific keychain items were marked kSecAttrAccessibleAlways or kSecAttrAccessibleAlwaysThisDeviceOnly. That's a guess.
If that's true, then all that is needed is for Apple to make a few minor code changes to the apps so that they observe the proper data protection policies.