I don't see much of an issue with using public wifi so long as you know whatever you're doing that is important/sensitive is encrypted. I don't use any public wifi any more than absolutely required, but otherwise almost every *responsible* website or service uses tls for https traffic today anyways, or as stated - you use a vpn to ensure no one locally at least is sniffing your wifi session. If your websites or services aren't using https, you shouldn't use them, as even a vpn has to egress to regularly internet somewhere that has a government (or other) black box sniffing it too.
I agree, it would be nice if there were a better method of getting public users encrypted, but without some unique key exchange per user, or at very least a white-list method (remember the wps buttons that generated a weak numerical pin?) to make strong, or at least random, it'll remain weak at best, and probably eventually exploitable.
A hardware solution is a non-starter though. Where does a phone or tablet have a usb slot to get on? Certainly whoever made it wouldn't support linux, or a foss solution as it doesn't incentivise anyone to produce said hardware. Hand out yubikeys, but client software and use is still problematic even with u2f per os for something like wifi use.
If you did hardware, I'd imagine nfc-based for mobiles, make them come up and swipe a token to get the pass of the day to get on, and it changes every day. PC's you just rotate a common key to give to customers every day and print/display for users inside the establishment every day. Even just use a one-time token generator with a numeric key held by *someone(s)*. I've seen medical offices handling guest wifi by changing keys daily for at least any guest ssid and just printing the daily guest wifi inside reception, which keeps persistent users from access outside the establishment doing probably nothing good.
This can be done with any enterprise-ish wifi solution that supports Private-PSK functions, or many-to-one passwords for the same ssid. Aerohive, Cisco, Juniper/Mist, Aruba, etc all tend to do this, leverage otp generation via Duo, Google Authenticator, or other "app".
Even once encrypted, do you still trust the internet source though, that their router isn't infected from running a 10yr old firmware? You shouldn't, again vpn, or at least ensuring who you're accessing is using tls, and you trust their cert.
Interestingly enough being in Santa Monica CA on business. their public library gets swarmed daily with homeless that really love their free public wifi there (seems even homeless all have cell phones these days), that I can only imagine the cesspool of devices there that could be hijacked/man-in-the-middle'd easily on non-encrypted wifi. Even just build a fake public access ap to mitm, then infect... Being that I'm there doing work *for* the city, it's something I have mentioned to folks as a problem.
-mb