Online wallets are unsafe because the your private key will be shared by the wallet provider.
In the case of Coinbase and Xapo, yes.
Blockchain.info, Green Address and BitGo are not in a position of enough power to steal your coins, provided that you use the features that they let you use. I'm sure that there are some others as well. In blockchain.info's case, you have access to your private keys.
bitcoincore, electrum and multibit
Multibit is no longer maintained and has had some serious bugs. You should stop suggesting it.
Does anyone know those which online wallet those big exchanges such as bitstamp, kraken, bitffinex use? Do they use 3rd party hot wallet or they are using their own proprietary online wallet?
It differs from exchange to exchange, but usually they will have most of their coins in cold storage, and they will take out what they need for a certain period into hot wallets that they control. There should be an automatic system for the hot wallets to send out withdrawals when requested by their users.