The password isn’t the encryption key. The password is used to access the encryption key. The cipher is considered secure because, if you have the cyphertext (and even if you assume the attacker knows that you used AES), it’s essentially impossible for them to figure out the key from that. That’s why keys need to be kept secret.

If they know you used a short/bad password and they have access to the key generator, then you’re right that it would be easy to brute force the password. But that’s really not AES’s fault, that’s bad key security.