While I agree that such a situation could garner the unwanted attention of hackers, the security of one's own account generally rests on the shoulder of the consumer, not the business. It's rare that the lack security of companies becomes the reason for account information being compromised (though Sony's foulout is a glaring reminder that it happens). Plus, if people get a hold of one's Paypal information, Diablo 3 is the last thing one has to worry about.
I merely mention the thought that PayPal accounts are notorious for being "easy" to hack into. Through various online vendors, eBay, phishing, etc, account login information can be stolen. I agree with you in that if you were to hack someone's paypal, you wouldn't give 2 cents about their D3 information. I am just dissapointed that Blizzard chose to go with PayPal for this RMAH having to know about the possible issues in security potential.
If the decision were mine, I would use a different company like Dwolla, who although smaller, is more intense in their security, options and customer service to be able to compete with online payment/banking systems like PayPal