The point is that the phone with a crappy 4 digit pin can be used to authenticate everything on every device the user owns that uses passkeys. It's a one stop shop of failure.
The argument is that without your phone, you likely have no recourse to stop the attack. Since your passkey on the phone is what controls your access, now.