With Facebook accounts, hackers generally go for the low hanging fruit. If we're talking about money, yes it is insecure. There was a string of thefts of Bitcoin in 2015 when hackers got local access to people's machines and used keyloggers.
Using a local file is also pretty inconvenient if you use the same accounts over many devices, including public ones. You can use Dropbox, but that introduces new risks as well.
Copy and paste.
Clipboard is also a common point of attack both on desktop and on Android, in the latter because it requires no special permissions to access.
I concede all of these points. If I had to type in my passwords, I would have to have shorter passwords. Google authenticator is something I enable where ever I can. I have heard good things about Last Pass.