I use 256-bit keys to defend against possible future weaknesses discovered in the algorithm that allow better than brute-force attacks. I know full well that given a theoretically ideal computer (in terms of energy use for computation achieved) and extremely optimistic assumptions about the amount of computation required to check a key, it would still take the energy output of a supernova to crack the key if brute force were required.
Also, from what I know, quantum computers will have only a very limited effect on symmetric key cryptography. From what I know, the search algorithms possible using a quantum computer effectively halve the key-length of a symmetric key, which makes symmetric keys still pretty darn good, even with quantum computers.
Lastly, all known asymmetric algorithms completely fail in the face of a working quantum computer with a sufficient number of gates. These are the algorithms that typically require key lengths of (at the very least) 1024 to be secure. In fact, in order to achieve a level of security equivalent to a 256-bit symmetric block cipher key, you currently need something like an 8192 bit asymmetric key. But, for a 30 year time window, 3072 bits is probably enough.
The exponential increase relation does not hold for asymmetric keys. The increase in computation required to break per added bit goes up by more than a polynomial factor, but by less than an exponential one.
Of course, once again, with quantum computers with a sufficient number of gates, adding a bit just gets you a linear increase in computational complexity to break, which is exactly the same order of increase as it takes to use. But this is only with asymmetric key cryptography, not with symmetric key.