The issue with steam is that its not a generalized online store, and it likes to run in the background. What needs to happen is to have a download manager that works for any sort of application based on some open-ended specification, allowing the customer to make an account (something linked to paypal, probably), buy an application, and then have rights to download it wherever they log in to that manager (which should probably be open-source). Once you download the game/application, you do a quick validation check on it the first time it runs. This validation is tied to the computer it was downloaded on, but allows you to then play the game/application free of restrictions or an internet connection, without the need of any program running in the background. The validation would not expire, and would simply sit there until you uninstalled it and had to download it again. Because its tied to the computer (via processor serial number or whatever), it could be a simple encrypted file in the game's directory.
The best security is one that is effective even if the thief knows exactly how it works. EA could have simply limited keys to 3 people online at a time. Instead, they acted like f*cking retards.
My copy of spore still isn't here.