It doesn't actually. If the authenticator expects passwords, then this simply moves the problems you cite to another part of the system. These are the sources of compromises on the modern web. It's a neat system - but it doesn't solve the key issue.
Doesn't really matter if the authenticator expects a password, because that password _isn't_ what's used to authenticate to the site itself; it's always a public/private key pair.
If the user decides to use 12345 as his password for a Web Authentication authenticator that's obviously less than ideal, but still impossible to phish (the browser validates the domain the user is on), infeasible to brute force without access to the user's device (where the actual key pair is stored), and impossible to compromise in a data breach (the site only has a public key).
Sort of. Except the attacker has to compromise each user individually; there's no centralized server to target as is the case with existing single sign on services.
This already happens - it's called spear phishing. Instead of wasting time with multiple users, the attacker picks a high-value target. For example, if you can get one admin, it's game over.
In this thread, you keep moving the problem statement to cover a smaller and smaller subset of the general problem of account compromise. This is exactly what the attackers you're describing will do.
That's the point of this solution. If we can remove the vast majority of account-compromise tactics and force attackers to achieve success only if they "get one admin," then that's an incredible victory -- especially for the large number of ordinary people who are not admins.
True. But spear phishing is also harder with this standard, since you can't just phish credentials; you need to actually compromise the user's authentication device. (Get root on the user's phone, physically steal their authentication token, etc.)
