A single point of failure that is very well guarded, encrypted/not stored unsafely on a 3rd party site, and maintained properly *can* be better than multiple easier points of failure that fail independently, partially because that last part isn’t always very true.

People often reuse passwords, use patterns in their passwords that are identifiable and exploitable when they *do* vary their passwords, and have emails and accounts that are the point of failure for many other passwords (get access to this specific one, and you can gain access to a number of others, kind of thing). What’s more, if you are not using a password manager, other less trusted site can allow people to gain access to these email/higher-tier accounts when you reuse passwords or password patterns between the two. If you use the same password between sites, no matter how strong or hard to brute force it is, you just need it to be leaked or mishandled *once* to be an open door.

On the flipside, a bunch of unique and strong passwords are cumbersome, and practically speaking, people resort to creating predictable patterns in their passwords to offload this burden somewhat, or literally writing them down somewhere, which is arguably much less safe than just using a single password to encrypt your other passwords, such as through a password manager.

Two-factor authentication is still huge in terms of safety, though.