Yup. And they are, technically, because if someone has that one login and password, they can access all your accounts.

But it turns out that keeping that 1 login and password in your head and trusting the rest to your password service (especially if you let it make random passwords) is way more secure than what people do if they have to try to keep them all in their head.

So it's about relative security. Both sides are correct, in their narrow views of the situation.

It can be. Single master password, if leaked or otherwise getting into the wrong hands, gives access to all your auth details. This is part of why I keep to a desktop based password manager rather than an online one.

But it depends on your threat model and attack surface area/shape. A strong password on a post-it on your monitor is stupidly insecure locally, but far more than just having a weak password if you consider only non-local (to the user) attacks (neither that site hacker in far-off Hackyoustan nor his pet bots can see the post-it, but could try brute force a short easy to remember password).

Yes, if not explicitly then by their actions definitely. E.g.: there is only a single bank in France that hasn't switched to a stupid 6-8 digit system where you have to click buttons that appear in random order. Before then they often disabled autofill on passwords (luckily that could have been easily bypassed). They incessantly re-invent the wheel for 2-factor auth and so on. I find it very curious why banks of all institutions are those with the worst security.