They only fix 2 problems - weak passwords and keyloggers.
That's not true. They also provide protection against:
- Shoulder surfing attacks, which require no compromise to the internals of the endpoint
- Storage of data encrypted with a protocol that later proves vulnerable in some interesting way, such as a key compromise
For example, consider heartbleed. If someone stores your encrypted communication, and later compromises a host's private key, that attacker could ostensibly decrypt those communications. If you use a password, that password is compromised, and it's "Game over, man." If you use a physical token, only the PIN is compromised (assuming the actual verification happens in a separate process).
Ideally, you would still want to issue new PIN codes, but the account hijacking risk would be largely mitigated by the physical token requirement, at least after the n-hour cookie expiration window passes, and you could even eliminate that window by expiring any cookies in your authentication database before bringing it back online after you fix the heartbleed vulnerability.