Is that true though? AFAIK they sell CC info for pennies.
The good thing about the physical device is that you can easily tell if it's stolen.
For passwords, there are numerous services that keep track of the leaks and even Apple has incorporated that into their password manager but it all depends on mass leaks to work.
That seems a dubious assumption.
It's far more often that debit/credit cards are physically lost/stolen than digitally lost/stolen.
(The only thing preventing cards from being a massive day-to-day issue are very aggressive fraud-detection systems and financial controls.)