@Faar:
I was only using iPhones as an example because of their popularity and with that, the availability of articles about them being "hacked". I have nothing against iPhones. I admit that iPhones are relatively secure devices, but you're reasoning from the wrong end of the line.

A: You say that iPhone apps are sandboxed. Although this does indeed improve security, once someone has access to your "computer" there's only so much you can do to prevent him from reading data he's not supposed to read. A compromised system can't be trusted.
Now that does of course depend on what the compromised system is, if it's "just a sandbox" then there's probably not much a hacker can get to - he can play around with the available sand, but he can't go outside the sandbox. If the hacker gets into the "root"-system however, he can access anything. It depends a lot on what part of the system is vulnerable. Hackers don't use hacks that land them in a sandbox, unless they know they can get out of them somehow or unless it's a useful hack on some other system.

B: You say you can't tell an iPhone apart from any other system connected to the internet, so you can't target them specifically. You're reasoning from the point of a single iPhone connected to the internet.
Hackers don't work like that, they hack "a" system connected to the internet and then figure out what kind of system they hacked and what they can use it for. They don't target any system specifically, they just try a bunch of stuff that's known to work. Once they get in, they probably know you have an iPhone (or any other type of smart-phone) from the method that was successful to hack it, but if not they can see by looking around in the hacked system.

C: Yes, you're definitely right about that, unless the owner of the phone is stupid enough to keep their WoW account information anywhere on it. That goes for any device connected to the internet. A scrap of paper isn't connected to the internet ;)

D: That's actually the same point as you were making at C. Not that it's any less valid.

Note that I'm not against using a smart-phone as an authenticator, I'm just putting forward that they aren't entirely as secure as a stand-alone authenticator.
Provided you keep good account security otherwise (which can't be repeated enough), the chances you can get hacked through an authenticator on a smart-phone are still marginal at best. It is a secure method of authentication, but no security method is 100% air-tight.

Even with a stand-alone authenticator your account can get hacked, chances are maybe 1 in several billions, but if enough people are trying some will succeed. If enough people have them though, the trouble of trying quickly outweighs their chances of success, which will reduce the number of people trying to hack them this way.
Social hacking would become the more efficient approach ("Hi, I'm 's alt, can you give me access to the guild bank please?" for example).