The average time between confirmations is 10 minutes. Sometimes they can happen in less than a second, or they can take over an hour.
It's not the sender that decides how many confirmations are required, the merchant decides how many confirmations they want to wait for. The transaction will typically show up in the merchants wallet in less than 5 seconds (often less than a second). At that time it will have 0 confirmations.
The risk is that someone can write a special wallet program that can send two transactions that spend the exact same bitcoins. One transaction would be paying the merchant (which the merchant would see), and the other would send the bitcoins to a different address that you own (the merchant probably won't even see that transaction until it is confirmed). Only one of those transactions will become confirmed and added to the blockchain. Once one of the transactions is confirmed, the other transaction will become invalid and all peers will discard it. This is not an easy or reliable process, and it is obviously fraud (just like writing a bad check, or falsely claiming fraud on a credit card transaction). It would be faster, easier, and more reliable for the customer to simply get up and walk out of the restaurant without paying than it is to try and successfully pull off this 0 confirmation fraud.
It's not as simple as that to doublespend. If you send two transactions simultaneously the network will see it, I believe. You'd have to give the real transaction a head start so the network does not have enough time to mark the transaction as a double spent, yet on the same time you should not wait too long, or else the fraudulent transaction will not be able to beat the original transaction. For this reason doublespend attempts often fail.