Back in 2004 Bruce Schneier wrote on his blog
I am regularly asked what average Internet users can do to ensure their security. My first answer is usually, “Nothing–you’re screwed.”
Then going with
But that’s not true, and the reality is more complicated. You’re screwed if you do nothing to protect yourself, but there are many things you can do to increase your security on the Internet.
However, I think first statement is actually true and not only for average users, but especially for average users. Some people here doubted that it was just a typo from Mr. Delavan, if true, it could be a great example that even non-average users can be outsmarted & screwed.
For sure, using just passwords for authentications is like keeping door closed, but not locked. The difference is you can live in a good neighborhood and never mind, but internet is a district you usually try to avoid IRL.
You can do a lot to protect yourself, things like 2FA/U2F make you way more protected, but it’s still “a modicum of security”.
The only thing I disagree with this article is part about password managers. I don’t trust them. As for me, they’re SPOFs I better avoid. However, I don’t have that big of experience using them and this can be my prejudice. You’re welcome to change my mind.