the $9.99 every few years is trivial, I totally agree with that statement, so you spend what? an extra $9.99 every 5 or so years, big deal

as far as I know the USB security tokens out there today, most of them are not flashable, but I could be wrong on that part, it would be pretty stupid to make them flashable really

as for vulnerability, they would need to figure out the algorithm of your token, and the exact time code its on, yeah they could get the one time password you just typed in, but the chance they will use it in the 30 second time alloted? not likely

second, the point of the token is simple, hackers go after the easiest target(I.E. the person without the token will get hit first)

so yeah while they might try to get your account, most will realize you have the token and find another target to hack, cause to them time is money, and they want to do the most damage in the shortest amount of time, so the likelyhood they will go after you if you have the token isn't very high