I agree with all of your points, I'd just like to point out that, even if everyone ends up using software authenticators (password manager-style) with WebAuthn, we'll still be in a much better position than we are today, where people just use the same insecure password everywhere.