1) I don't use a single program, I use a single format. I use different programs per platform, but all of them use Password Safe compatible databases. Sync is done via an encrypted cloud storage service.
2) Admittedly, this is a potential issue, but in my opinion there are two problems with this point. First, you trivialize it by saying "all you have to do is crack the keychain." With a strong enough passphrase that will not be easy at all. Second, you're changing the threat model under discussion. A compromised website with re-used passwords is one thing, someone coming directly after your locally stored data (e.g., your keychain) is another. In the first model, the attacker will not have access to your keyring, and therefore has no chance of cracking it. In the second model, if you're the direct target, precautions probably aren't going to matter.
3) Backups. The same encrypted storage service that handles my sync keeps automatic, versioned backups.