As for the statistical analysis, it's mostly irrelevant. The encoding algorithm is both reversible and published. So you can extract "Decoy data" from ANY picture that you find, Decoy or no.

I understand that, and I understand that it should be impractical to decrypt the hidden image without its key given that strong attacks on AES have not yet been publicly found (key exchange difficulties, which are always considerable, aside). But I think you're being far too nonchalant about detection here. The fact that you can extract "decoy data" from any image is wholly irrelevant; it's the statistical properties of those bits that I'm interested in, and with maybe a million bits of data to play with, the bias per bit does not have to be very high for an attacker to be very confident that some kind of steganography's going on.

That does not, of course, prove that it's being used to hide anything interesting from an attacker's point of view; but that was never the point of this objection.