A clever hacker knowing this limitation would lie in wait until exactly the 72 hours have expired and would not expose the fact that the account has been compromised.  Then you unstake and that fact is broadcast to the blockchain where that public info is seen.  Then if you are just one minute too late, you'd have to file a request to EOS911.  I'd prefer that this info was hidden as it would give much greater security.

Another approach would be to change the private / public keypair just before the 72 hours are up on the unstaking.  That would most likely thwart any attempts at theft.

PS - It just occurred to me that if the owner can change the keypair associated with an account, that a hacker could do the same thing with a compromised account thereby stealing the account.  Then it's up to the original owner to realize the hack within 72 hours and do something similar to the account recovery process on Steemit.

I heard that Dan Larimer suggested throwing out the original constitution which has the provision that "intent is law".  If "code is law" replaces it, then account recovery may be done for.