I use IPsec here for everything. The reasoning is that most attacks are made by insiders anyway - the bad side/good side thinking is flawed. (If anyone makes off with the servers they can have fun trying to break the full-disk encryption, so no problem there, either.)
It's also fun to use telnet, NIS, NFS and FTP without any worries - feels like the good old days! :-)
You're understanding is basically correct.
First I'd like to mention that if you know the PSK, or have a copy of the certificate, it's basically game over. Cracking the the session key is cryptographically trivial if you've got that much information. If you don't have the PSK or cert you're left with brute force, as you mentioned.
Certificates are just as "easy" to brute force as PSKs, except that certificates are usually longer. A sufficiently long PSK works just as well however (for practical purposes). Also cracking RC4 is essentially as easy as cracking AES (for the purposes of NGOs)
You are however drastically underestimating the processing power required to crack a decently complex PSK. A PSK should be at least 12 characters long, using lower case, upper case, numbers, and symbols.
If you wanted to search all the possible keys up to 15 characters long (using all the aforementioned characters) you would have to search about 800 septillion keys. If your computer can calculate a billion keys per second it would take about 24 billion years to try them all.
Now after you you get half way through those keys, you're more likely than not that the next key you calculate will be the correct key; thus for the purposes of probable key cracking, you can chop that time in half.
Best get started now, you've going to be there a while. See also, Jeff's Post.
It'd be much easier to simply break into the person's house and beat the information out of them. (I absolutely do not condone, advocate, or suggest physically harming someone or threatening to do so)
WiFi under WEP everyone shares the same encryption key anyway, so broadcasts are no trouble. Under WPA/WPA2 a Group Transient Key (GTK) is given to each endpoint after the initial PTK (session key) is setup. Broadcasts are sent using this GTK so that all endpoints can decrypt it. In infrastructure mode endpoints aren't allowed to talk to each-other directly, they always go through the AP.
Edit:
If you need to generate a good WPA password, here's a random password generator.
If you pick a weak dictionary based passphrase, it can be cracked very quickly (<5 minutes) with an average modern laptop; it does however require the cracker to intercept the 4 way handshake when a WPA is setup.
Edit2:
NGO = Non-Governmental Organization (ie, typical corporations or mad scientists, people without the resources to build or use a top100 supercomputer to break keys, even if they wanted to).
Within WEP, WPA, and WPA2 there is no way to prevent legitimate users who can "hear" the two initial nonces from cracking the PTK. Another layer such as IPSec could be grafted over the top (in fact, IPSec could be used to replace WEP/WPA). WEP and WPA are not meant to insure individual privacy. They are meant to make your wireless network as secure as a wired network (which is not very secure in the first place). While they aren't perfect, they meet this goal most of the time.
Best Answer
It is very difficult to detect sniffers, because they work passively. Some sniffers do generate small amounts of traffic and though, so there are some techniques for detecting them.
There are some tools which implment these techniques, for example open source tools like Neped and ARP Watch or AntiSniff for Windows, which is a commercial tool.
If you want to prevent sniffing, the best way is to use encryption for any network activity (SSH, https etc.). This way sniffers can read the traffic, but the data won’t make no sense to them.