Re: millions of times more complex.
So replace "pixels" with "3d dots". In fact, as said, with some IR reflective paint, and a TV remote control (IR light source) you could spoof an IR dot matrix. As shown in the other Reg reports, these things can be "spoofed" so a single paint blotch on a gun makes it look like a turtle, and a well painted turtle looks like a gun.
And several other posts along these lines.
You choose the unlock method that suits the level of security you are seeking.
1) Just stop kids/friends screwing around with your phone (changing ringtones, etc), probably the most common use case - faceid, pattern, perfectly fine.
2) stopping an opportunistic thief stealing your phone to sell on from accessing your data again faceid and pattern unlock are perfectly fine - probably the 2nd most frequent use-case.
3) Has some business stuff or private stuff on it you don't want getting out, - fingerprint or passcode.
4) keeping an affair or financial information in case of a divorce secret from your significant other - passcode (nothing that they could access while you slept in the bed beside them) - probably 3rd most common use-case.
5) Has some highly sensitive stuff on it that many people might specifically target you for (financial secrets that could allow billion dollar insider trading/stock manipulation, or research on stuff you haven't patented yet - industrial espionage), professional thieves or government agencies that have the resources to - and care factor - to build a 3-d model of your face or steal fingerprints and make impressions of them - passcode.
6) Has really sensitive stuff on it - kiddie porn, national security type stuff that foreign espionage would extraordinary rendition you for - where they might just beat you with a rubber hose or pull your teeth out before they turn you into a corpse and feed it to the pigs - just don't put it on a phone at all.