No wallet that is connected to a computer with internet access is safe from hacking. Wallet encryption is only slightly better than no protection at all.

There is no backdoor to the encryption.

So there are a couple of possibilities:
a) user's wallet was not encrypted or was unlocked (recent transaction) - unlikely but possible
b) user's wallet had a weak password
c) user's computer was infected with malware keylogger
d) user re-used password on another site (which was compromised)
e) user re-used password on another site and it was stored in a password utility like lastpass which itself wasn't encrypted

I am thinking c is the most likely but without specific details we may never know.

I do think it would be a good idea if the bitcoin program directory (not to be confused w/ datadir) had a file (say paths.conf) with two options:

This would allow someone for example to put the datadir (everything but wallet.dat) in one location and the wallet.dat in another location (like removable usb drive).  

These values should also be able to set from the GUI. 

A cautious user could physically remove the usb drive when not conducting transactions.  This would require some refactoring of the QT client such that it can "run" (connect to network, download blocks, relay transactions, etc) without access to the wallet.dat.  When access to wallet.dat is restored (user inserts usb drive) the client would need to be smart enough to recheck recent blocks in an intelligent manner.

Not necessarily.  The QT client only prompts for password when performing an action which requires access to the private keys (normally signing a message or sending bitcoins).  This is intentional to reduce scope where password can be grabbed.  Launching the client to check your balance for example doesn't require access to the private keys and thus the client won't prompt to decrypt the wallet.

Good points all!  I'm changing the title.

just what is a Windows user to do?

it is annoying as heck having to constantly update Java for fear of an exploit.  linux devs need to enable those of us using proprietary Windows programs to run them on linux.  no, virtual box doesn't do the trick.  nor Wine...

Well one thing running Java on any platform not just Windows has the same or very close the same exploits, seeing Java was designed to be cross platform.

One of the most secure things you can do now is to uninstall Java unless you absolutely need it. If installed make sure you use the disable Java from running in the browser option.

I do all my web browsing, pdf&word file opening, etc. from inside a Virtualbox virtual machine.  I recommend the same for all hot wallet users.

Java itself isn't a huge problem, as long as you only use Java applications that you trust. The problem is the Java browser plugin. Just disable it.

That is why you should never run Java and that is why you should use caution when storing your coins. Why put them all in one place?