[Artlav]

Ideally, passwords are in the heads of users, not accessible from a device. A key would, necessarily, be stored on a device, easily stolen by viruses or by stealing the device.

Also, it takes more discipline and understanding to handle keys than it takes to handle passwords.

Practically, there is no salvation anyway.

[hunter2_]

A user who is worried about theft of their private key could put a long [0] passphrase on it, but alas, the service provider who supports key auth can't enforce that keys be passphrase-protected [1]. A user who does this is effectively creating a 2FA requirement for their account. But to your second point, the onus is on the user which isn't ideal.

[0] It can be brute-forced offline -- https://security.stackexchange.com/questions/62455/find-pass... -- so unlike online password checking that can be rate-limited, length is essential.

[1] https://serverfault.com/questions/589680/disallow-ssh-keys-w...