I can change my password anytime if I think somebody copied it. I cannot change my fingerprint or retina. There is no way I'm giving random webshops or google my biometric data.
Given that your current password is not stored in plain text (hard to keep a straight face when typing that), I'd assume that your retinal password would not be stored as a plain image file as well.
Instead I can imagine that a hash of your retinal image is stored as your password, and that you can update your retinal password by rescanning your eyes and generating a new hash, which you can authoritatively tell the server is now your new password. Thus when the server is hacked and your retinal password compromised, you can generate a new one.
Note that I am not a security researcher and have no idea if what I just said is pure BS or not. However I would hope that people who ARE security researchers have already thought about these aspects.