There seems to be a lot of argument about just how easy the TouchID defeat is to perform. At 30 hours, it’s not exactly “easy”, but it’s doable and by anyone with a reasonable set of maker skills.
But the real point is that it’s harder than just lifting the passcode.
Here’s a true story. I have a good friend whose iPhone passcode I know. How? Just by seeing him type it in. And, like most people, he never changes it. If I wanted to get into his phone and tweet “Poopin'” from it, I could any Tuesday night when we go drinking. It was very easy to get his passcode. It’s pretty easy to get anyone’s passcode, unless they use an extended one which hardly anyone does. It is decidedly harder to get their fingerprint and spoof TouchID with it. This alone is reason enough why TouchID is better than a passcode.
But it’s more than that. TouchID means I can turn off Simple Passcode and use something longer and more complicated. And, because using your fingerprint is easier than even typing in a simple passcode, I’ve also set my iPhone to require it immediately, so any time I turn off the screen, it’s locked.
It is not flawless, it can be defeated. But it’s better than what most people have been using to date.
Like the best camera being the one you have with you, the best security is the one you’ll actually use.