The default behavior is generous enough. I can't imagine wanting to extend it, especially if commerce is involved. I'm unfamiliar with woocommerce, I would hope the little remember me check box is removed. That essentially invokes an auto login condition as long as the user doesn't explicitly logout and returns within a certain time frame. Possibly OK for a blog, but not for commerce.
In any case, it shouldn't be too hard to extend the remember me time frame, but whether it can be done without a core hack, I don't know. Of course, it's not a true auto login since if the user logs out, they have to manually log in again. But that is as it should be. As a user, I would freak if I explicitly logged out of a site, only to return the next day and find I'm still logged in. So there is no need to replicate user management functions, simply significantly extend the time frame used by the current user management functions. (At your client's peril)
Yes, login based on cookie existence is a security risk. Even session cookies are a risk. It's easy to imagine a situation where a user fails to properly end their session, leaving their access open for anyone that happens by. Commerce sites need to strengthen WP access, not loosen it!