Mitigations for cold wallets (step 0: don't carry the sole signer to millions in your pocket), from simple to complex:

1. Classic custody with offchain authentication ("rediscover banks")

2. Self-hosted cold/offline airgapped wallet with split shamir seedphrase backup

3. Multisigs and HTLCs (e.g. transfers only executed on 2-of-3 signatures of yourself and trusted third party, with a timelock/delay)

Those are all robust and tried-and-true patterns.

On smart contract chains like Etherum there is a jungle of "smart wallets" backed by smart contracts doing the above and more. Obviously those are earlier days and not without their own class of risks but they should illustrate what is possible.

> And, the crypto exchanges will be of little help.

You'd probably be surprised. Exchanges tend to collaborate and be quick in responding and acting to reports of theft or other criminal activity going through their platforms. Including those which otherwise tend to skirt the darker shades of the regulatory gray zones.