Aside from stuff like CVE-2016-0777, some people do password auth SSH over the public Internet, which isn't great.

(See also: People migrating from FTP to SFTP and haven't heard the good word of rsync with key auth.)