Great quesiton. I'll give an example to help illustrate the problem and how 2-of-3 multisig solves it.
Lets say you run a bitcoin service of some sort, for example, an exchange, a gambling website, an ATM network, etc. One morning you wake up to find that $1,000,000 worth of bitcoins are missing from your hot wallet
If you were using 2-of-3 multisig, this scenario could have been prevented, because the service provider (for example BlockTrail) could enforce your custom restrictions and spending limits before signing your transactions. This allows you to greatly mitigate how much damage an attacker can do (i.e you would lose $10k instead of $1m). In order to circumvent the restrictions, an attacker would need to have access both to your systems AND the multisig service provider's systems, making it very unlikely for a successful attack.
In another scenario, if the multisig service provider's systems are breached, then users' coins are still safe, because the service provider only has 1 out of 3 keys needed to make transactions. An attacker would still need to attack every single user individually, to actually get their bitcoins. This isn't necessarily the case with some of the more traditional APIs which either have access to your private key (coinbase) or which you need to send your password to the service provider (bc.info).
Since we're on the topic of security I think its worthwhile mentioning some of the benefits of HD Wallets, which separate your keychain from your backup process. The issue is that if your bitcoin service (exchange, gambling site, ATM, etc) is constantly generating new bitcoin addresses for users to pay and deposit into, in a short while you'll find that you need to manage hundreds, or hundreds of thousands of private keys. If you have a high volume of transactions its likely that you have a very well defined backup process for getting these keys into cold storage.
HD wallet technology eliminates this issue entirely - since you have one private key to manage all of your bitcoin addresses, forever, and you only need to back it up once when you initially created it. You can generate it, throw it in a safety deposit box and never need to expose your backup process to technical faults, human errors or unknown security vulnerabilities. This is also far easier to manage and gives you peace of mind.