With physical keys, a lot of people forget about securing their keys. They leave them out where they can be photographed, for example, or quickly imprinted, or even just compared to another key with all the bite codes on it so the numbers can be noted.
Same goes for locks. A lot of people don't secure their locks, either, which leaves an attacker plenty of opportunity to bypass. Even an area with security which will detect an attempt to pick a lock or force it open, is still vulnerable. You see a guy go up to a door, stick a key in the lock like he belongs there, then suddenly he "forgets" something and walks away without opening the door. You might not think twice about it in a busy office building, but that guy just got pin imprints and will be back every day to do the same thing again, or send in somebody else, until one day an attacker walks up with a manufactured key that opens the lock and goes right in.
"Something you have" like physical keys aren't that great if you don't secure them. You need to make sure that the only people who have that something are authorized to have it, and you need to restrict hardware access to the lock. It's a tricky proposition in the best of cases. Biometrics are even worse than most cases, because at least a lock on an office door can be changed if a key is lost. You can't change your biometrics. Furthermore, we're talking about digital systems here, when biometrics are inherently analog. Your analog finger, eye, or whatever is being taken in as a precise yet inaccurate digital signal, some probability function is determining if you're "close enough", and then a computer chip says you're okay. It's like having a lock where if you jiggle different keys in it, the tumbler will still turn. To put it in computer terms, it's like taking a float in as input, truncating the decimal, and using it as an integer in your finely-tuned algorithm. There's all kinds of floats out there that will get you the integer you need to make your algorithm work the way you want it to. It's no longer "something you have", it's "something that's kinda like what you have".
"Something you know" like a combination or a password, has always been more secure. It uses math instead of the physical world and its inherent weaknesses. There's too many combinations to reasonably guess it in the amount of time you have, and you're forced to exploit some vulnerability in the locking mechanism to get in, like using a blow torch to melt the locking bolt, or exploit some vulnerability in the user of the lock, like he was stupid and used his birthdate as the combination, or wrote it down. Passwords, and combinations, are digital, instead of analog, which means there's exactly one password or combination that will work, instead of an infinite number of "close enoughs".
You still need security with your lock and key, whether your key is something you know or something you have, but at least with digital, changeable keys, you have the power of discrete math on your side, and if you do lose lock or key security, you can go ahead and change your key.
And if I've piqued anyone's interest in security of physical locks and physical keys, I highly recommend the books by pen-tester Deviant Ollam, specifically Keys to the Kingdom which covers a number of attacks most people never consider when they're securing their offices, server rooms, etc. Practical Lock Picking is good too, if you want to learn how locks are defeated by, surprise, picking them (bumping, shimming, and bypassing too).