It's all about Purpose
Apple are not the only manufacturer to use their marketurds to deliberately confuse and mislead customers, so this is not an anti-Apple dig except insofar as it is the most high-profile recent offender.
The problem is that fingerprints and face-id are not only not the same as PIN, they are actually for different purposes. It's a mistake (a deliberate one by Apple et al) to conflate "*quick* access for me" with "access *only* when I approve".
Fingerprints and face-id provide a means of quick access which works for the user while making it unlikely that anyone else in the vicinity can get the same ready access to the device. Some effort is required to copy fingerprints, and bit more still to replicate faces. It's perfectly obvious that both are insecure given that the Stasi can physically coerce you into swiping a finger, or even more easily just wave your own phone at your face, to unlock. More sophisticated black hats can copy prints and so on, which makes both technologies quite useless for those with real secrets, against whom professional resources would be worth deploying.
PIN, on the other hand, while being inherently slower and more fiddly, fills the "access *only* when I approve" purpose. Using a 10-digit mixed-alpha-symbo-numeric passcode gives you around 3 sextillion options (3x10^18) which, even if we assumed the phone's code was so poor as to allow endlessly repeated tries every millisecond, would take a mean time of over 40 million years to successfully brute-force. And of course, while the Stasi can fingernail the PIN out of you, that requires time and effort and some damage, a risk and investment that goes far beyond simply waving the device's camera at you. Even Trump's imbeciles at Homeland Security know better than to leave torture marks on journalists. (And of course, a properly secure device will allow a purposely incorrect passcode to permanently wipe its contents, so that the paranoids and spooks can trash the data even while the splints burn down to the quick.)
So I submit that we're missing the point with blanket dismissal of fingerprint or face-id, and should be more specific in our criticism.
Face-id and fingerprint are fine for quick, easy access and very poor security.
Long, random PIN/passcode, well implemented on an properly encrypted device that does not allow repeated rapid brute-forcing, is the only truly secure system if you really need secrecy.
And bear in mind—no one should need to be told this in 2017—leaving stuff on your mobile device like bank details, stored passwords, automatic logins, may well count as "needing secrecy". You don't necessarily need to be a spook or a Guardian journalist.
The enemy of decent security is laziness, when you come down to it.