Though I still don't understand why you should keep a master key which, as you say, you still can't use to restore the private key directly and thus should use a second hardware wallet (which adds risks if these are no longer available) if you can just encrypt your real key from this wallet and keep it in absolutely the same way as your master key. In this case, you wouldn't need a second device at all with risks being even lower at that (if someone steals the master key he could restore the private key using his own wallet). Basically, with these hardware wallets you are making your life unnecessary complicated, especially in the case when things go awry
I'll admit that it's indeed odd that you always need a Trezor device in order to recover your keys (which means that Trezor indirectly is still somewhat of a central authority here), but people prefer this hardware wallet for numerous reasons. Best thing is that when you transact with people, it basically doesn't matter whether or not you run everything from a clean cumputer as
there is no way malware could affect anything. I think this is what gives people an ultimate form of condince
If there is a will, there is a way
As I understand it, a hardware wallet still runs some piece of software since otherwise how can it be used? But all software is bug prone no matter how hard you or they may test it (I wouldn't trust it anyway unless it is open-sourced). Modems, routers, and whatever network equipment exists out there get hacked every other day. So if a hardware wallet gets connected to Internet, you are not 100% safe from it being hacked by some malicious code. After all, Iranian centrifuges for separating nuclear materials got incapacitated due to the attack of Stuxnet virus which specifically targeted programmable controllers (which a hardware wallet basically is)
