> If you enter your one-time password on a subverted system, the attacker suddenly has access to all your data. He only needs access once.
All your *current* data, yes; I don't see a way around that. The idea was to protect any future data you may put on the device from a different host PC.
> Not if your system is subverted.
The idea was to remove the USB key and re-encrypt it on a known-clean system, not re-encrypt on the compromised PC. Again, this is to protect against future unauthorized access, not to protect any data which may have already been exposed.
> Perhaps, but this doesn't exist today and sounds awfully expensive to develop.
I don't think it would be all that expensive; it's basically just a TPM chip with some trivial input hardware for the password. Internal hard-disk encryption exists today, though I don't know if it's any good. The drives I know of with that feature require full re-encryption to change the password, if they support it at all, but that wouldn't be hard to fix.