The problem is that it takes only *one* hacked reader to steal your fingerprint, and then that entropy is lost forever. If your password is stolen, you just change your password, but you can't easily change your fingerprints. In this respect, most biometric data is more like names than passwords: if you tell me your name, I know that you're saying that you could be the person with the name in question, but I don't know that you can't be someone else.
What you would ideally want is something that takes a name and something that changes every time you try it, then combines them in a certain manner that cannot be reversed but can be checked. To use the name analogy, if you have to give both your login and password (or your name and password), then if someone steals your password, you're safe unless he also knows your name - you have a window in which to change your password before the adversary determines what your name is. Yet like with names, if the adversary has properly prepared his plan and is attacking you alone, the biometrics won't help you. He might record your voice, lift fingerprints, etc.
It may seem tempting to get around that problem by making a tamper-resistant fingerprint reader so that your fingerprint is never really exposed to the world. The reader would then do some sort of authentication with a remote site and the data would stay on the reader (or be dynamically sampled). The problem with that is that there's no such thing as being fully tamper-proof, and you leave fingerprints everywhere. The bad guys can get another reader and wire it up to take fingerprint info from an external source, then lift your prints from somewhere. That is -- unless the reader itself holds a key that it combines with the fingerprint data, but then you're back to two factors as mentioned above: a name (your print) and a password (the device itself, which can be replaced if compromised).