You're correct about passwords of course (though the Supreme Court has sided with law enforcement a lot), but that only matters if the Bad Guys can only get at your server while it is turned off and encrypted. If it is turned on (as most servers are), then they just need a remote exploit or physical access (or a logged-in phone). Or maybe a backup drive since people often forget to encrypt those. (Or they don't have a backup drive, their raid set dies, and we have another kind of failure.) Compare that to a gmail account secured with a U2F key; it doesn't stop all of the attack vectors but it helps.
There is no perfect security, but as I said, most tech folks overestimate their ability. I used to run my own server, and tried to do everything right, though I'm sure I missed a lot. But I've got better things to do with my time then spend weekends running updates and trying to deploy two-factor on my personal box, and trying to recover from encrypted backups after a disk failure. Maybe I'm just old.
You are correct that it's much more likely that this AP will be up-to-date, but there still isn't exactly good precedent for devices running Google's OSes being updated like they should be, or for features to not become abandoned when their backend cloud-side stuff is written out from underneath. It might be up-to-date, or it might be abandoned and the few owners left to their own devices.
Actually, there is very good precedent. Chromebooks and Nexus android devices (both of which get their OSs directly from Google) have been very well updated with timely security patches and new features (as have chromecasts and Wear AFAICT though for a much shorter time). You may be thinking of non-Nexus android devices, where the OS comes from another vendor; those are poorly updated, but you can hardly blame Google for that. But it looks like this OnHub gets its OS directly from Google.
So what other access point has received regular OS updates? Maybe the Apple Airport, but Apple and Google are pretty much the only consumer electronics companies who regularly support their older hardware (and Google, with Chromebooks, Wear, and now OnHub, seems to be supporting other folks' closely-branded hardware). I can't prove that Google will continue doing so, but their track record is pretty good so far.