You could have a dead man switch where private keys are only released upon death

Except you don't need an ico for that. I'm pretty sure theres email services with dead man switches as features. Just put your clues/instructions for private keys in the email.

And also malware (just a malicious browser extension is enough) that changes the addresses that you see in your browser.
It seems pretty difficult to protect against these attacks at a reasonable cost. Any idea? (better that always double-checking on a second device that it dedicated to that. Without much stuff installed on to limit the risks)

No. The most glaring defect of hardware wallets is the presence of the physical device itself, which identifies you as an owner of bitcoins. It's like painting a bullseye on your back. How can you answer “What bitcoins, sir?” to the customs officer, when he's looking right at your Trezor or Ledger device? Or to your nosy neighbor? Or to the random house guest?
Use an online/offline software wallet with freely-available, open source code. Never put your keys on a network-connected machine. Sign all your transactions offline. Memorize your seed mnemonic. That way, wherever you go, your bitcoins go with you. Invisibly, without leaving any physical trace.
Once you've arrived at your new location, buy a Raspberry Pi and an SD card and download and install the wallet software on it for use as a signing machine. Sign transactions using your mnemonic, so your seed is never stored on any physical medium. Run a full node with a watch-only wallet for broadcasting transactions and tracking your balances.
Difficult? Yes, but true security is always difficult. All the “easy” solutions involve relinquishing control to some trusted third party, and reliance on third parties is exactly what Bitcoin was created to free us from.

You might find it easier just to memorize your master seed and store it only in your head. The risk of forgetting it is no greater than the risk of forgetting a password. And there's no physical backup to get lost, stolen or hacked.
I use the MMGen wallet and do all my address generation and signing offline using a memorized seed.
https://github.com/mmgen/mmgen

So what happens when you forget your "very strong password"?

"Bitcoins? Oh, you must mean my U2F device. That's for two factor authentication."

To a point. I would worry about plugging that thing in 10 years from now and it doesnt work.
I run a VM on my desktop that contains my desktop wallets. The VM is backed up to multiple sources both local and in the cloud. that way if the VM or my desktop crash, I can always just get a new computer, install HyperV, and import the VM from backup.

Compared to what? Your phone? Or your shitty windows box? Fuck yea. Are they 100% secure. Maybe.

Could the 5 remaining words have been found by brute-forcing? Brute-forcing 12 words isn't feasible, but 5 is way easier, considering this is exponential. (assuming phone compromission)
But that would be a targeted attack (which could be possible, you're the one that could know if this should be in your treat model)