Its only meant to be kinda close to wired equivalence - if someone really wants to snoop, there are ways to do it with wired as well (even without physically breaking in to the cable).
So yes, you security has to come from other layers (VPN, SSL for web etc).
WPA2 with EAP is end-to-end crypto strong; there's no funky password derivation function to brute-force, the packets are AES keyed randomly after a (most likely) TLS key exchange. I'm not saying I'd choose it --- too many moving parts --- but you can make the argument that modern wireless security is more secure than wired networks.
Yes good point, but its really going beyond what most people should care about. Of course, if it was easy to setup, and the work was not expensive in power/CPU, why not !
So yes, you security has to come from other layers (VPN, SSL for web etc).