Excellent post that outlines the weaknesses of a typical multisig setup.

One other thing: If under duress you could destroy a single key via a "brick-me" PIN. This way it's now impossible for anyone (thief or otherwise) to spend funds before the timelock expires. With this plan, one is better off using a 2-of-4 quorum so there is still redundancy if a key is destroyed in this manner.