That's why you combine them. Nobody is saying auth should purely be based on biometric. It's all three: Something I know, AND something I have, AND something I am. If your DNA is compromised, you still have the thing you know and the thing you have to keep you secure.
I mean, if someone is forcing me to login at gunpoint, I'll gladly oblige - no need for them to gouge my eye out.
This is not the threat model being used here. This feature is meant to protect you when you forget your yubikey on your laptop while on lunch break, allowing any co-worker from logging in/using the GPG keys stored within.
If someone is willing to do that to you to get to the things behind the password, it wouldn't matter whether you enrolled a biometric factor. At that point it's not a tech problem anymore.
Also, just a nit, iPhones aren't purely biometric. You have to input your pin after reboot or a long period of inactivity. I'll agree it's still a bit too close to being a password for comfort though.