Well at least I'm introducing numbers and trade-offs into the equation. That's something we need a lot more of in security discussions - it is usually just emotion and guesswork.
The Israeli model depends on well-trained people, well-organized airports and well-tested plans. Making that work with hundreds of airports large and small, thousands of planes and hundreds of thousands of people would require a huge investment in time and money.
Even if you could scale just FAMS to handle every flight, why would you? Let's get back to question you asked at the start of this thread: Is it cost effective?
What threats would they guard against? Regular crimes and unruly passengers? As noted above, they don't seem to be doing much of that. How about folks like the shoe bomber? He was first detected by the person seated next to him, and subdued by nearby passengers. An air marshal riding in the front could have joined in, but wasn't necessary.
What about the guy who might try to hijack the plane with a box cutter? That hasn't worked for nine years - reinforced cockpit doors and passenger awareness have taken care of that.
So, to summarize: is FAMS, in its current incarnation, worth the money? I say no. Would FAMS with air marshals on every flight be worth it? I really, really doubt it. Would an air marshal program consisting of a dozen guys and a lot of fake publicity about how many there are be worth it? Maybe - it's security theater, but it'd be cheap security theater.
It's this very expensive security theater we have right now that is the real stupidity.
What metric would you propose? Spending $200 million per arrest would seem to indicate that there just isn't that much crime to prevent.
And there is no way to measure how effective FAMS is against terrorist attacks. The smart terrorists are not going to be deterred by the low odds of riding with an air marshal. The stupid terrorists probably don't even know they exist.
The comments in the Schneier post do a good job of exploring this. It seems likely that there are better ways of spending almost a billion dollars a year.
That was one of several possibilities he proposed in response to the original question (why no attacks?)
There, he's basically saying that 9/11 changed the equation, which is a statement we can discuss rationally. But instead we get a bunch of responses to the emotion-laden headline.
the only way I can conceive this to be hacked
Always a dangerous statement - just because you can't think of an attack doesn't mean there isn't one.
You are correct that no one is going to guess the next one-time password. Instead, they are going to attack your machine, and piggyback on your session after you have logged in. This is happening in the wild today, although it's mostly aimed at larger commercial accounts.
Those keypads are more secure because they can be used to enter unique data for each transaction, like the amount of a transfer. Plus, they aren't connected to a network, so remote hacks are blocked. The keypad's generated code will definitively prove that the holder of the device entered the transaction data(*).
Obligatory Schneier reading: http://www.schneier.com/blog/archives/2009/09/hacking_two-fac.html
(*) The most likely attack against devices like this: the key stored on the bank's server. But it's just a single target, so it is easier to harden.
In seeking the unattainable, simplicity only gets in the way. -- Epigrams in Programming, ACM SIGPLAN Sept. 1982