They're cheap, they can easily be changed, they're compatible with everything and everyone (including developers) is already comfortable with them.

U2F/Fido will probably take over in corporate environments, aided by SSO, in the next decade or so, and consumers may follow, but recovery is a huuuuuuge problem for those who can't punt that problem over to email providers.

What would you replace passwords with? A token which can be lost or suborned? Biometrics which can be stolen or faked?

Passwords are terrible, but they work.

Any sort of public/private key would be pretty secure but humans would not be able to memorize them. And there's the usability problems for normal people, i.e. not knowing when to disclose public vs private key, generating them, keeping them secret, etc.