So the real question you should be asking is, "Who would benefit from a Bitcoin failure, and could they amass that much computing power?"
Here is a list of client security issues: https://en.bitcoin.it/wiki/Common_Vulnerabilities_and_Exposu...
It seems like the biggest risk would be with the wallet websites, which is an issue that is present in other payment methods.
The biggest problem IMO is that there is no way to refund or right the wrongs done by an attack. If someone in russia or china steals half of the bitcoins, there is nothing anyone can do to get them back. I suppose they would all be logged and everyone could band together to block those BitCoins as payments, but that's probably not going to happen. That would be interest to watch play out.
You are not understanding the problem. Bitcoin is not a hash function, nor is Bitcoin a digital signature system. Bitcoin is a digital cash system, and so any discussion of Bitcoin's security must be based on the notion of security in a digital cash system.
There are two minimum security properties a digital cash system should have (informally): first, that the units of value cannot be counterfeited; second, that each unit of value can be spend by exactly one party at any given time. In both cases, it is commonly assumed that the attacker's work is bounded by some polynomial in the parameters of the system itself, so the system is secure if no polynomial time algorithm can break either property (but an exponential time algorithm might e.g. a brute-force approach). It is possible (and usually desirable) to prove that a system is secure using mathematical arguments, for example these systems:
http://link.springer.com/chapter/10.1007%2F11889663_20
https://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=568944...
http://ieeexplore.ieee.org/iel5/5326/5550332/05443458.pdf
(Sorry that these are paywalled, you can probably find them elsewhere)
Unfortunately for Bitcoin, while it seems to satisfy the first property (but no security proof is out there as far as I know), it fails the second property. Double spending in Bitcoin requires work that scales linearly with the parameters of the system (the "51% attack"), which is basically worthless as far as cryptography is concerned. The fact that Bitcoin uses a secure hash function and a secure signature system is irrelevant because the problem is with the protocol itself.
An easy way to illustrate the difference between using a secure cryptosystem and being a secure cryptosystem is the "surreptitious forwarding" problem. Suppose you receive a message from your boss that was signed with his secret key then encrypted with your public key which said, "You're fired!" Now what you might do is to re-encrypt the signed message with another person's key and send that to them; they would now believe that they were being fired. It is not the encryption system or the signature system that you attacked, it was the fact that composing signing with encryption in that manner does not prevent such forwarding (but there are ways to do that). Bitcoin has a similar problem.
It's worth noting that a 51% attack would only allow double-spending, and it's not something that could be realistically hidden; it would be very obvious what was happening. In addition, the amount of computing power available to the bitcoin network is becoming significant enough that it would be hard to exceed, even with a botnet.
It's also worth pointing out that people still use Paypal, despite all the stories of frozen accounts and people never getting their money back. People also still use credit cards, despite not every instance of fraud resulting in the victims getting their money back.
https://en.wikipedia.org/wiki/TICOM
I agree that people may very well use Bitcoin despite a successful attack (plenty of people still use Hushmail), although I think a lot of confidence would be lost. Bitcoin has a lot of hurdles to overcome as it is, and the detection or announcement of a successful attack would add yet another.
A 51% attack is a possibility, and might be currently possible with the largest botnets known to exist today, but it would be pushing it. In future it becomes even more difficult.
