That was my initial reaction as well, but it isn't necessarily true. If you read up on how Windows Hello uses a PIN, then it becomes clear that they can be pretty secure where: (1) a PIN is tied to the device; (2) a PIN is local to the device; and (3) a PIN is backed by hardware.
https://learn.microsoft.com/en-us/windows/security/identity-...