I’d suggest that that is not as rare as you might think. There are plenty of “unimportant” sites that don’t do proper password security – even storing passwords in plain text, or unsalted MD5, or other stupid things that sites do.
The problem is not to protect yourself against two average security sites being hacked. It is to protect yourself against the two worst-security sites you use being hacked.
It could happen, but it would certainly be noticed (and big news) if it did. No hacker could rely on the passwords thus received for being valid for long. This is unlike more traditional site compromises that are not discovered immediately.
True - they would only snag the credentials of those people who updated in the window between hijacking the site and when/if someone eventually shut them down - I guess it would depend on how long they managed to hold onto the stolen domain.
Another risk (for other password keeper solutions such as those appearing as smartphone apps) is the publisher going turning rogue and sending out an update with a backdoor in it - in this case, they could bide their time until sufficient penetration had been achieved, then steal a vast amount of personal data all at once.
What I like about KeePass is the possibility of using a key-file alongside your password. I want my passwords to be accessible from my desktop computer, my smartphone and tablet. I have my KeePass File on Dropbox for easy synchronisation and my key-file stored locally on each device.
Combined with a strong password I believe this to be a fairly secure solution.