You're misreading my point. I didn't recommend 'fail2ban' or claimed any machine without it is as good as compromised. I recommended removing the attack surface entirely by not exposing SSH to the public internet. The point is removing an attack surface completely instead of relying on operator competency.
Relying on a 'sane password' is like seeing the stat '1 out of 10 cars is left unlocked' and commenting 'Yeah, but those people are stupid, I'd never forget to lock mine!'. While maybe true, it's irrelevant. It's objectively safer to keep the car in a private garage (Tailscale) than to leave it on a public street. Feel free to leave your car wherever.
