As someone also in this business, I would speculate that they give such advice because it is currently effective. It's hard to say whether that will remain the case when biometrics are more widely used. Perhaps, then, we find that storing hashes of all sorts of biometrics server-side is not such a good idea after all. Or if done client-side, then you basically have public key authentication which also exists today and is often recommended for things like ssh -- don't need biometrics for that, how you unlock your ssh key is up to you.
I've really embraced biometrics now that I understand that they're effective for certain use-cases when properly implemented.
For example, the primary threat model for my mobile device is a combination of shoulder-surfing and theft, because I ride a lot of public transit. So it's way more secure for me to touch the fingerprint sensor rather than constantly peck in my password while I'm being observed. A common criminal or homeless dude who steals/finds my phone won't know my password because I'm not revealing it, and they're unlikely to have access to my finger or its print.
If my threat model were different, say law enforcement/TSA confiscation or something, I might be more worried about walking around with fingerprint auth enabled. So if I head to the airport or enter some other high-risk area, I might consider disabling that, removing the sdcard and/or SIM card temporarily.
Biometrics as a way for my personal device to recognize my physical presence is mature tech, and useful for consumers in ways that passwords aren't.
Most modern biometric auth is implemented by the biometric device acting as an HSM and only agreeing to perform the cryptographic operation with its secrets if the proper biometrics are provided. Biometrics are never directly sent to the service you're authenticating to, instead it's using a form of PKI in the background where your biometric device is an HSM storing the client certificate.
This is less secure against dedicated attackers with physical access, but much more secure against remote attackers as there's usually no way to provide the biometrics to the HSM in software and the authentication key from the biometric device can't be stolen so you must keep persistent access to it to be able to use it every time you need to authenticate.
Things like FIDO Yubikey are basically a password unlocked by biometric information so someone needs the key AND your biometric information to unlock it. Even if someone knew your "biometric" information, they would still need the key.