Every commercial password manager is a security risk. Each company's product uses official applications (whether on desktop, mobile, or browser) provided by them. The applications are in theory coded to keep cleartext credentials sandboxed and unavailable to the company. That simple fact is a) not a guarantee - applications are binary installs so you have no idea what the application is really doing; and b) even the most secure application is a single accidental or intentional software update away from leaking/stealing the entire unencrypted contents.

I don't know if LastPass is the same, but 1Password has a browser "application" (regular old web page hosted on their servers) that keeps your credentials in the browser's local storage. While they technically don't store your credentials on their servers, that web app is a ticking time bomb for a cross-origin attack, someone managing to slip in one line of javascript in a commit, or any of your browser extensions/addons being compromised.

If you're reading this and are a software developer, think back to all the horrid code and glaring security holes you've seen at most companies you've worked for. Then consider that the type of developers and managers who are rushing deadlines at these password manager companies are no different. These products are not being designed or developed by top security professionals, but rather by everyday developers - most of whom likely know very little about encryption and security outside of what their language of choice's libraries make easy to use. Even if a password manager were to be written exclusively by the single best security professional on the planet and audited by the next top 100, again there is no guarantee for there to never be an accidental or intentional update or hack.

Consider what you are storing in a password manager. Full access to banking, including your life savings? Logins to your government's sites with sensitive data? For most of us, having a single moderately or critical account hacked would cause havoc. Imagine what happens if someone ever gets ahold of the entire contents of your password manager. It's identity theft taken to the maximum possible extreme. Two-step authentication (a la Google Authenticator) is an additional layer for many accounts, unless of course you're using something like a combination of LastPass's password manager and their separate 2-step auth app, in which case that one company exposes you to a single point of total security failure.

The idea of a commercial password manager being run by an everyday software development shop scares the crap out of me. I won't touch them with a 10-foot pole.