Does multisig and 2FA solve anything? No, because the multisig is provided by the web wallet server and if that is compromised then the multisig is also compromised and useless.
Can this be solved by having one or more of the multisig providers reside on another unknown server, or possibly from some or all of the delegates themselves?
You can distribute this keys of the multisig over multiple servers but at the end of the day there will only be a handful of servers to attack to gain access to
all users.
The better solution is to force the attacker to hack into each user's computer
at a minimum if they want to steal their funds. Adding multisig on top of that of course adds more security and I highly recommend that.
And as I explained, serving this as a typical web page (even if HTTPS protected) allows the attacker to avoid hacking into each user's computer. I think a browser extension that you have to manually install once and need to explicitly approve of any upgrades would help a lot. Personally, I don't feel very comfortable with using any browser-based solution for serious money. I would want to download a deterministically-compiled executable that is signed by enough of the core devs with their PGP keys which I have already established on my local computer (actually I would want the source archive signed by the devs and then would want to compile it myself, but the deterministic build is a better solution if you don't want to compile yourself). To make this easier, it should be possible to use the previous version of the client and the web-of-trust on the blockchain to validate the signatures of the new version of the client. That way upgrades can be very simple for regular users (no PGP required). The only issue then is how to establish the first installation of the client on a new computer. Still, even if we rely on HTTPS for the security of that initial download, the attack surface becomes so much smaller that it is difficult for an attacker to be very successful.