Suppose your site has five Admin users who all use strong passwords (such as 50 characters or more) and two-factor authentication as a secondary layer of protection to access the site. But ONE user has a weak password that has probably been published online (e.g. 'Password' or 'pass1234'), or if their user account has been inactive for months, giving hackers or bots plenty of time to potentially break their password, building or site is vulnerable because of that one account.
Good user-level security checks are absolutely essential for protecting your WordPress sites.