Right, if a service provider is willing to register new public keys/certs (or any kind of credential) on your account as a result of identity fraud, that is indeed a different problem. But not nearly as big as phishing and password reuse.
So, I don't see how the presence of that problem suggests it's not worthwhile to work on better types of credentials.
If one link of the chain is broken, it's game over. While this is a good effort, my point is that not considering the entire system as a whole simply transfers problems from one part of the domain to another.
You are right in a sense. Right now the problem is up to individuals to create secure passwords for each and every website they interact with. People that have no idea how computer security works. The problem now is also on individual website developers to be trusted with those passwords and keep them secure.
This transfers the problem away from both of those groups. Individual no longer have to create multiple secure passwords and website developers no longer have to store those precious secrets. This is a huge improvement. You are correct that it's not perfect, but instead of security pros spending all their energy teaching people how to manage passwords, they can focus on the remaining problems that you point out.
