I think a solid example of an ICO that fails all 3 points is EtherParty.

A centralized SaaS used as a gateway to deploy smart contracts and implements a proxy token (FUEL) to replace ether (or eventually btc and other native blockchain currency).

Essentially, they are putting a form based interface (and plans for mobile app) that hits some API endpoints (all centralized) in front of the smart contract creation and deployment process under the premise of making it easy. There is nothing inherently wrong with this and many products (call them DAPPS if you like) that leverage smart contracts of course have some UI to do this basic thing. The rest of EtherParty is based on the assumption that a huge market including consumers and enterprise would use this on a daily basis and so they put a value on this service, via their ICO details, as being worth hundreds of millions of dollars.

There is no new decentralized network but rather taking advantage of existing networks by putting up a centralized service in front of them which of course becomes a huge target and security risk. Not only would this SaaS model depend on security experts and smart contract auditors (which also opens up attacks from the inside to compromise customers) but the inherent liabilities of this model are so great that sane business analysts and owners would be hesitant to consider a supposed easy interface as acceptable trade-off for all the newly introduced attack vectors. The wise decision would be to internally handle the occasional smart contract deployment as opposed to paying high fees and using this unnecessary proxy token.

Of course there are countless examples of bad ICOs. This one stands out for me, in part because of the aggressive marketing and history of the people behind it, because it fails on so many levels on what I think qualifies as an acceptable and legit use of crypto tokens and token sale models. Also, I would argue that FUEL tokens are securities masked as utility tokens like so many others.