[_0o6v]

There are certain fundamental security requirements that don't change, regardless of whether you have 10 users or 10m. If you have a breach, you have a breach. Numbers of repos, databases, servers have very little (nothing) to do with the security requirements of storing personal data.

[dgb23]

Yes and no. Complexity, source code volume, data volume and amount of users naturally introduce failure states that are not found in a simpler system. They also reduce your facility for reasoning about the whole, and the amount and type of assumptions you are allowed to make.

Google, an indie game, a SaaS, or a custom web app shop all have different security engineering requirements, including authentication, often per project.

Also outsourcing auth and not having full control over it is not feasible or even allowed for some domains or projects for a multitude of reasons. Not to mention that using an external service has at least a constant complexity cost.

That said, these kind of services are definitely worth considering for many. There is something to be said about advantages of specialization and cost-benefit as well. Reliability is not optional for an auth system, and I'm sure these engineers are really good at what they do. However the challenge would rather be convincing business, not engineering.