There are people on eBay selling printed paper wallets for £2 a time. What is to stop the seller keeping the private key... People are actually buying them as well! That is a response to the topic title.
In response to the OPs message body, no. Not feasible for storage/generation. Not taking into account quantum computers, it would take more space/time than the entire universe has with the entire sun being burned up to provide energy to find even 1 address private key. It would be more feasible to go up to every bitcoin address owner you know and force them at gunpoint to give you the keys, and even that is impossible to do it to them all.
It has been possible to steal addresses and keys that were generated with bad RNGs OR ones that reused nonce value when signing transactions. Signing two transactions from one address/keypair with the same nonce value (as blockchain wallets did at one point) allows the private key to be computed from the two or more signatures where the nonce was the same. That raw data can be found on the blockchain and hackers have scanned for vulnerable addresses and probably still do, to compute the private keys and sweep them. Some white-hatters who returned the funds, and some black hatters.
https://eprint.iacr.org/2017/1014.pdfRNG failures. Using a given nonce only for one message is crucial: If a nonce is reused for two
different messages, an attacker can trivially calculate the private key for generating signatures. This is
caused by the fact that the underlying primitive – an interactive zero-knowledge proof [1] – requires
distinct nonces in order to be secure. Thus, the developers of cryptographic implementations have
to make sure that nonces are never reused. A common way to achieve this is using a high entropy
RNG to generate fresh nonces per signature. One prominent example where usage of repeating nonces
led to a compromise of signature keys was Sony’s Playstation 3 [2]. The hacker group fail0verflow
showed that Sony was reusing the same nonce for every digitally signed game. The members could
then calculate the private key and create valid signatures for arbitrary files including pirated games or
Linux applications. Another security breach that resulted out of insufficient entropy in the nonce of
ECDSA signatures happened in a Bitcoin Android app [3]. As a result, attackers stole Bitcoins worth
several thousand Dollar.