There was this article from Wall Street Journal about how an iPhone thief can change iCloud password of the account in that phone without knowing the current iCloud password. Basically, when changing iCloud password from an iPhone, you only need to enter the PIN code to unlock the phone, no need your current iCloud password. So, a thief will first try to steal that PIN code by shoulder surfing or just looking at your hand when you type to code; then they steal your phone; immediately change iCloud password with that PIN; and boom, you lost your phone AND your iCloud account along with everything associated with that account: photos, contacts, notes, and other passwords. Then, they can use those passwords to log in into bank accounts, social accounts, and so on.
It is probably a tough decision to allow changing iCloud password only with the PIN code because there are many many more people who forget their iCloud password than get their phone and PIN code stolen. I just hope Apple can make a way to fix it, especially for people who care about this.
And the situation is similar in the Android world. With the PIN code of an Android phone, a thief can change the Google account password.
Just for password, using Apple's built-in password manager is already better than nothing. But I still prefer a third-party password manager.
And now I change to an alphanumeric passcode. Harder to type but with FaceID enabled, I rarely need to enter that long passcode, like 3 times a day max.