Quoting James Harper (james.harper@bendigoit.com.au):
For us know-it-all IT types that might be true, but many people use the same username and password _everywhere_, so it is far more likely to have a username/password combination stolen than a key and I wouldn't say "equally easily stolen".
I submit that someone who uses the same username/password everywhere is rather likely to use the same keypair and passphrase in as many places as possible, too. If he/she merely uses the same SSH passphrase everywhere, that's just about as bad, because it means the private key can get stolen and used locally, and then the imposter sshes to the next system, repeats the theft, und so weiter. But yes, users' attraction to credential reuse is one of the Big Problems. FWIW, my own solution is to run Martin Pool's Keyring on a PalmOS PDA. http://gnukeyring.sourceforge.net/