@gargron mmmmmm I'm actually pretty happy with how TouchID is implemented from a security perspective. Your password is still required after any reboot or significant downtime, or for sensitive operations. It's not being used as a password, more as a proof of continued presence during inactivity.
Security is a usability/threat tradeoff and having TouchID enabled allows me to have a much longer password then would be practical normally. So overall it's a net positive.