I think these concerns are slightly misleading. 2., 3. and 4. boil down to 1.
1. is a problem. If one password is compromised it is possible to brute force the master password. This is mitigated by a key-derivation function.
2. is also mitigated by a key-derivation function. Also you still need to test the guesses, which requires knowing one password or trying to log into a website. The second option should be equivalent to compromising one password via brute force.
3. is not true, they need to know a password or try to log into a website for every guess.
4. Again, this is only true if one site password is compromised.
1. is a problem. If one password is compromised it is possible to brute force the master password. This is mitigated by a key-derivation function.
2. is also mitigated by a key-derivation function. Also you still need to test the guesses, which requires knowing one password or trying to log into a website. The second option should be equivalent to compromising one password via brute force.
3. is not true, they need to know a password or try to log into a website for every guess.
4. Again, this is only true if one site password is compromised.