People just keep repeating this wayland security mantra..

It is not much harder for a trojan to log input/capture wayland screen compared to X11 - trojan will just LD_PRELOAD its library.
If someone has a local access to your desktop and able to run code, consider yourself owned either way.
Only some hardcore sandboxing can try to solve this issue, something likes Qubes OS.

Reminds me of our corporate admins that monitor every https connection and block lots of stuff, like USB drives, but I can still send out encrypted archives to my personal e-mail... yeah, good job.

I don't like this kind of 'Wayland is super' TLDR, you should also talk about the drawbacks in the summary..
About the point you listed:
1) It's quite possible to add a remote display feature on top of Wayland sure but no remote display protocol built-in by defaul means that in quite a few case you'll loose the feature or you'll have to work to have it.

2) I thought that KDE was going to go with Server Side Decoration but AFAIK martin graesslin has changed his mind (he doesn't talk anymore about server side decoration).
I use Windows with its CSD and I see the drawbacks (you cannot manage simply a frozen Window until the window manager detect the frozen state, very annoying), maybe Wayland will have a better implementation with less drawbacks for CSD? Doubtful.

Many advantages of Wayland are because it's a lower level protocol: it allows clients to do more and better features, sure but it will also create more fragmentation between desktops: Gnome app on KDE for example, will it still work well? Eventually hopefully yes, but there could be quite a long time when the interoperability is worse.

My bad. It seems the cross-plattform aspect of xdg-app can be had with X11 as well. But I do remember them saying that X11 can't be properly sandboxed.

Indeed, sandboxing is needed before it's actually secure. But for others reading this, if e.g. a distro pushes out a complete sandboxing implementation tomorrow, then all X11-users are still open for blatant security attacks, but wayland-users will be secure, so wayland is in this regard a stepping stone towards a secure desktop.

There's lots of features that used to be part of the shared display server but now has to be implemented by every compositor, like e.g. display setup (also, xorg has xrandr, wayland could have an extension for it, but no one has written one so there is nothing).

Someone mentioned that they could in theory create a shared wayland display server and simply run window managers/desktops as a subcompositor, thus recreating the shared "platform" of xorg, however ... wayland was designed to avoid that, so maybe not repeat history/old habits.

Regarding remoting, if someone just made an extension for it (and pushed for e.g. xdg-standarization) then it would be easier to achieve wide spread implementation. Perhaps the problem is that there's simply not enough developers working on the wayland protocol/stack (wouldn't be the first time the linux community faces that problem...).

I don't use Windows, but in wayland the compositor is in charge of managing everything about the window except its actual contents (in fact in wayland a client doesn't even know its coordinates on screen), so if the compositor/window manager has keybindings for e.g. killing a window then everything should be dandy.

It's worth mentioning that even though the "blind client"-setup of wayland has its drawbacks (client knows very little of whats going on and without extensions can basically just politely ask the compositor to do something which the protocol says the compositor is free to ignore), there is a clear advantage: the compositor has all the power. Clients can't assume where it is on screen, can't assume what's going on and as a result can't make mistakes based on bad assumptions. It's different from the X11/xorg-model (and we're all feeling the drawbacks today), but in a few years time I'm sure we're going to see the advantages spring to life.

Yeah, wayland is sure taking its time, and I share your sentiment on fragmentation. (It's absolutely fixable, but someone has to do the work...)

One of the devs mentioned here in phoronix that there was/is one written as a proof of concept. Noone stepped in to make it work and mainline it. As it seems noone of the people that complain about the lack of it needs it.

What do you call 'mainline it'?
The remote display POC was part of Weston not of the Wayland protocol so there is no 'mainline' in the Wayland project for it as Gnome and KDE don't use Weston and currently both are more in the 'make it work' phase than 'adding feature' phase.