The app-specific passwords are a feature and if you prefer the extra security over being able to use apps that don't support 2-factor, then you can choose not to use them, and get the full security benefits of 2-factor. It's just that, short of expecting every single third-party client app to implement 2-factor authentication or not allowing access to any that don't, there's no alternative to the app-specific passwords.
They are strictly better than using a single password for everything though, in that they are unique and strong (due to being automatically generated and 16 characters long), and easily revocable.
Non-web apps don't have a UI for two-factor. App-specific password is a compromise, which is vulnerable if someone steals your local installation of the client to get its keys.
Right. Did I say something contradicting that? Google could have decided not to offer application-specific passwords at all, but from any individual user's perspective, that's exactly equivalent to just not using them. At least having application-specific passwords gives you the option, and is at least as secure as giving your master password away to every client application.
I suppose there is one possible negative consequence to users who opt not to use app-specific passwords: their existence alone removes some of the incentive for client applications to implement 2-factor themselves (which I don't know if Google even has an API for). And sure, it would be nice to have features like access control on a per password basis (e.g., so I could allow Pidgin to access only gchat, but no other part of my account). But the implication that the mere existence of application-specific passwords somehow makes Google's 2 factor auth useless is just wrong.
They are strictly better than using a single password for everything though, in that they are unique and strong (due to being automatically generated and 16 characters long), and easily revocable.