The problem with your "properly written" qualifier is that it presents an inherently problematic challenge. LastPass says that it operates the correct way, but how can I verify that? Because their website says so? I have no meaningful way to acquire proof that it does what it's supposed to do. Additionally, if I do may unique, gibberish-string passwords, I officially become dependent on LastPass; that dependency has its own points of concern. It may not convenient to have passwords written in a book that's left at home, but its tradeoff between "not being available in a grocery store" and "not being susceptible to LastPass hacking / ending service / software vulnerabilities / NSL" has definite advantages on both sides.
First of all, while the physical book of unique passwords for every site is the best solution as far as security goes, the average user isn't going to be able to deal with not having access to xyz.com in the grocery store. It's much easier to be lazy and use the same password everywhere and store that in the browser's crappy, unencrypted password manager so they don't even have to put in the effort to remember it.
You are right in that Lastpass does provide an auditing challenge. As you noted earlier, even if it was 100% FOSS, (I would love it if it was) I, and most other people, do not have the skills to correctly audit it anyway. There are other open-source alternatives out there that can be audited but they usually require bringing your own "cloud" and thus are more difficult for novice users to use. Luckily, if you are really concerned about LastPass, you can do a packet capture to verify it is only storing properly encrypted data.
If LastPass really does what they claim, hacking/NSA isn't an issue (because you already verified via a packet capture that your data is only uploaded to them in an encrypted form, right?) If your master password gets brute-forced it's your own fault. Ending service isn't an issue because there's nothing stopping you from clicking on "Tools -> Advanced Tools -> Export To -> CSV File."
I'm not saying LastPass, KeyPass, etc... are perfect but they are 1000x better than using Kitten1 as a password everywhere like the average person does. I suspect Joe Schmoe's blog where Mr. Average commented once is easier to hack than LastPass and a hack there will likely give the attacker access to Average User's inbox just like a worst-case LastPass compromise. Not using a password manager is the equivalent to giving every site you have an account on the same level of trust you would have to give LastPass or your storage provider where your KeePass file is located. At least with a password manager, you only have to place your trust in one--hopefully security-focused--provider whose primary business model is keeping your data secure.
I don't dispute that. The point I was making was that updates are not universally better than their predecessors. Yes, I rolled that firmware back, but the fact that I needed to do so was more where my objection was focused.
It is fair to say that security updates are better than their predecessors which is what I'm pretty sure the experts were talking about when they talk about patching. Feature updates are kind of out of the scope of the article (although some vendors don't make much of a distinction which makes it hard for novice users to determine whether an update should be installed or not, but this is 100% the fault of shitty vendors.)