1. Yes but, you can have many git servers. Each repo is a full copy so central repos are basically throwaway. Lose one, make a new one, push to it.
2. The amount of available resources is amazing but, still, nobody cracks gpg encrypted files, nobody is dumb enough to try. Keeping up with the tool chain and updating keys every few years as the recomendations and capabilities change should do you fine.
generally the weak point anyone would assault a gpg based setup is either key storage or end point usage.
Nothing will stop a malware you don't know about from scraping the decrypted passwords as you decrypt them. If you store keys locally in an exportable form and type the decryption passphrase, then it can all be stolen by maleware as well.
However, if you store subkeys on hardware that can't export them, and requires a touch, so it can't be used as an oracle easily.... then the best they can do is that.
In this scheme each password has its own decryption session key, and that key is the only sensitive data that the hardware key works with. At best they get one message at a time, as you use them; and that requires that they own your endpoint in some way.