This vulnerability has nothing to do with password strength or security and everything to do with password reset security, i.e. email and improper handling of parameters to that reset API call.
Passkeys are interesting and potentially quite strong but they're going to have to fall back to the same old reset mechanism if you e.g. drop your passkey device (phone) into a lake.