Isn't this sort of security something we wish we didn't have to learn? And for people who don't take the time maybe it's best to let a third-party handle it.
Absolutely. Time spent on your auth scheme is time you're not spending on building your product. (And half-assing your auth scheme generally comes back to bite people.)
That said, outsourcing it to a centralized provider may not be the best idea for business, user, or security reasons. So it's a balance.
Of course, I'm biased: I work on the Persona team at Mozilla, where we're trying to build a simple, secure, fully decentralized, and open source authentication system that fits that niche rather nicely, but the points above stand: you have to figure out the opportunity cost of your chosen solution. There's no universal answer.