...Until someone hacks your system and manages to grab the password. The nice thing about keys is you don't have to reveal your secret, just prove you have it.
Sadly the revered secret is usually stored as safely as the password in plain text on the compromised server. I would any day recommend someone to use 40 character random passwords locked down on the client, available through pasting, than have them fumble around with improper key exchanging.
It's pretty typical to audit all your destination servers (which may number in the thousands) to ensure that they don't have private keys (the id_rsa) - in theory all they need is your id_rsa.pub.
Then, you only need to worry about securing your clients - and, it's typically difficult to wholesale (a) hack into all the clients, and then (b) yank the encrypted id_rsa off of them (as compared to hacking into a destination server, and then just wholesale waiting for people to login and grab their password). It's next to impossible in a secure environment (financial/medical/utility) where they have hardware dongles which contain their id_rsa. (Or, they move into a new class of secure, and use One Time Passwords, RSA Tokens)
Net-Net - multi-use static passwords are not used in secure environments.
