"They will attack it based on timing, compression problems, flaws in the protocol, freezing the RAM to extract a private key, etc. etc. There's really no end to the variety of things you can try to attack a cryptosystem."
I will say that in my experience 95% of the attacks are going to be social engineering, less about sophisticated things when the social is way easier.
The problem is that while probably FEWER than 5% of attacks are technical, they generate industrial scale issues -- e.g. tens of thousands of stolen identities.
Even so, while there have been high profile examples of encryption algorithms being shown to be flawed (e.g. RSA had to reissue all its dongles a couple years back because they were using a flawed RNG) I do not know of any actual successful dark-hat attacks along those lines (of course they may have occurred undetected or not been disclosed or I may simply be ill-informed).
High profile security breaches are generally a result of poor or no cryptographic practices, negligence (e.g. IEEE keeping its member records in a plain text file on an FTP server), or (as you say) social engineering.
In short, while really good cryptography may be hard, halfway decent is not hard, so it becomes a case of "assumed hard and left untried" rather than "tried and found hard".
Finally: there's also the problem of security theater, such as forcing people to change their passwords at a ridiculous rate.
I will say that in my experience 95% of the attacks are going to be social engineering, less about sophisticated things when the social is way easier.