Biometrics can be easily duplicated from photos of people at parties. You’re holding a glass in the background of a picture that was posted on Facebook, someone could clone your finger print. This has been proven to work on the cheap. Photo a person with an IR camera from a distance and you can duplicate their retina-scan.
The PIN is only as safe as the device it’s on. People are still getting their phones hacked by malware just to steal in-game currency. Malware poses as some useful software, someone so happens to install it, bam. This would be like a remote phishing attack. Gain access to a person’s phone remotely, steal the 2FA secrets from the phone.
You can’t remotely deactivate a phone that doesn’t have signal. Anyone can block the signal with a piece of foil.
For a typical person who had their phone lost or stolen by some random thief, probably not an issue. But if you became a target and the stalker took their time, they’ll eventually find a way to gain access to your phone remotely or bypass your security pin/biometrics. Phones can be and are compromised, yubikey cannot(in theory). That’s the difference.
Software and hardware is getting better at resisting and limiting compromises, but they’re not quite there yet. When we start seeing applications running in separate encrypted memory space from the host OS and mach kernels where parts of the kernel are isolated from each other, and system code is written in memory safe languages, then phones will start to become trustworthy.