1. What's irrelevant about having robust and constantly-evolving phishing detection, and optimized flows for getting people back into their accounts? Both of these are important in a high-quality login system IMO.

2. You're right that a lot of folks fail to even try for security, but I disagree that outsourcing password management to facebook won't help them. If they get popped and have no passwords, all that leaks is the information specific to their site. If they get popped and have passwords, then in addition all those users' passwords (which they likely share with other sites) are now in the open. The damage has spread beyond the one clowny site and screwed over those users' experiences on wherever they shared passwords. We actually invest a fair amount of time in automated systems that look for leaked password dumps from such sites and help clean up users whose leaked passwords match their Facebook ones.

Also, even in cases where people did things more-right, it's still incredibly damaging. Look at LinkedIn (who was hashed but not salted) or Gawker (who was hashed and salted, albeit poorly).

3. I guess I didn't convey this very well, but my point was that building your own login system is difficult. Getting everything right to ensure it's secure is actually pretty difficult, and requires constant attention if you're under any kind of targeted attack.

As for making fake Facebook accounts... please don't do that. You'll just open yourself to a bunch of headaches, as we're pretty aggressive with removing fake accounts from the site.