Hi Zwirny,
I understand all your concerns and I appreciated you took some time to ask the community what are their thoughts about it, and since I am part of the community, besides being a professional Cyber Security consultant, I feel I can share my view on the topics you raised.
First of all you stated the bitcoin has been proven secure, in that regards I would like you to look at the following link that exposed some bitcoin public vulnerabilities.(Common Vulnerabilities and Exposures - Bitcoin Wiki)
IT Security is composed by several layers all with their own Life Cycle Management:
- Human Layer
- Perimeter Layer
- Network Layer
- Endpoint Layer
- Application Layer
- Data Layer
- Mission Critical Assets
All those layers needs to be taken into account when you build and/or own a piece of IT software/infrastructure. Taking into consideration only a portion of it will expose your operation, since a chain is strong as is his weakest link.
Most people who don’t have a clear vision on the overall orchestration of all this parts often fall in a paranoid state due the confusion and the anxiety they feel.
About CNCLI, this is just a tool (a great tool for my point of view as well as gLiveView) but it is just a tool. History teaches as that a tool is as good as the person that is using it.
- Awareness is a very key component in security environment, thinking to use a tool advertised as safe does not imply that the tool will be used in a safe way. Every software, including BTC, has limitations from different point of view, is how you use it that makes the difference.
I know many security devices (also hardware like a lock) and software (including Encase used for forensic Investigations in legal court) that had or have all vulnerabilities. Nothing will make you safe, but at the same time a risk mitigation strategy will help you be safer.
About IOHK, I see them as a single of point of failure if they were the only one developing and debugging the Cardano software. Fortunately for them there is a good part of the community that helps them to debug the software they are releasing (and the Guild Operators have a big part of it).
I would like NOT have a centralized and closed code source like other company (aka Microsoft or Adobe) have… historically the products coming from those companies are the most prune to vulnerabilities, therefore NOT safer to use compared to other products which are Open Source. Thanks god opensource exist. 
Of course perfection does not exist and improvements are always possible, thats why is key to be aware of the limitations and plan a good risk mitigation strategy by orchestrating the tools you use in a very thoughtful way, depending on he context you are using it.
In a truly decentralized technology, like Cardano aims, I envision the community take ownership of the code as well as the overall security layers composing the ecosystem. Having them as a single point of truth is a rookie mistake from my professional point of view.
IOHK has done a great job for some aspects but at same time we are suffering from the lack of clarity and implementation of key parameters like k and a0 which are making the overall SPOs community weak and divided, by allowing SPO (like the one owning 1PCT) to exploit the network and delegators at their advantage.
While we as community have failed to raise the right amount of awareness to the delegators who are delegating to those nasty SPOs which are not really interested on the health of the network.
All that said, being paranoid is not security wise. Security is the overall orchestration of risk mitigation, and I guess we as community are doing our best. Unfortunately many actors in our community, many having public channels on YT, are only concentrated on the commercial side rather to the educational one.
What @tomdx made is nice and thoughtful but also his docker project is prune to vulnerabilities.
For instance I would suggest him to implement “–security-opt=no-new-privileges” in the run command of the docker image to reduce the attack surface (in this case lateral movements).
Once again the Guild Operators made a good effort to help docker users to be more aware and tighten up the docker security with this small linked section.
I hope I shared my thoughts in constructive way and maybe answered to some of your questions so you can help us sharing the knowledge.