>All you have to do is protect your email account with a strong password and 2FA.
Shame that the most useful email account and one most likely to be used by the majority, is the one on the phone, which as we know is typically set to auto login and as 2FA gets in the way of inbox update scanning - 2FA disabled. Thus the 'secure' email account is protected by the relatively weak phone lock. Thus we are back to access being largely defined by possessing the physical device and knowing the passcode.
The key which everyone, including Stackoverflow's Jeff, is missing, isn't so much password security in itself but the security around the 'lock' and credential storage. Note, Jeff's only real complaint about passwords of 8 or fewer characters is that someone with access to the hash can undertake a dictionary attack. What he omits is any measure of how secure say a 4-digit password is, where the rules are; you have three attempts before access is blocked (ie. bank card) and you have to use alternative means to regain access.
Thus the big issues are firstly getting over the misconception that complex to human's passwords are more secure than long simple to human's passwords. The second is getting dev's and system builders to understand the need to build security in depth by implementing a few basic and very simple principles.