With LastPass, your account password is your master password. Its hash is stored on their servers, and they have an opportunity to intercept the plaintext whenever you log in.
With 1Password+Dropbox, Dropbox doesn't know your master password. It only ever sees the encrypted vault, and doesn't have any opportunity to intercept any plaintext. (If your password is strong enough, you could probably even get away with posting your vault on a public website.)
I use 2-step auth with LastPass. Although passwords are encrypted on client-side for LastPass too, I understand that if LastPass wants, they can get the master password or password for any specific site. All they need to do is change their client. However, considering 1Password is closed-sourced, if they want, they can do so too. Right?
And if I think about "What is harder for hackers to get to: My encrypted password file on Dropbox or my encrypted passwords on LastPass," I feel I'll have more confidence in LastPass.
You log in every day to LastPass, giving them a lot more opportunity to intercept your password without changing anything on the client side. LastPass also has a web interface where you can log in, and you often need to log in there in order to make changes to your account. This can act as an additional attack vector if they were compromised.
If 1Password was compromised, on the other hand, they'd have to wait until you upgrade the client to the bugged version. As far as I can tell, they don't even have a web interface for you to log in.
Dropbox doesn't even come into the equation since it's just dumb storage. Someone who compromises Dropbox will only see a useless blob. The attacker would have to compromise both 1Password and Dropbox, as well as get you to install a compromised 1Password client, in order to get your encrypted passwords.
There is no straightforward way for AgileBits to quietly steal credentials from a specific target --- they'd have to publish an update that did that to their whole userbase, hope the target actually updates, and they would get caught. It is on the other hand trivial for LastPass to do that, for most of their users, because there is a normal usage flow for that product that involves typing a master password into an HTML PASSWORD input.
The problem is not open-source/closed-source so much as it is that convenient, centralized, web-based crypto tools are virtually never safe, and that's the problem LastPass has chosen to try to crack.
With 1Password+Dropbox, Dropbox doesn't know your master password. It only ever sees the encrypted vault, and doesn't have any opportunity to intercept any plaintext. (If your password is strong enough, you could probably even get away with posting your vault on a public website.)