The same things that make your privacy vulnerable make your devices vulnerable.
It's currently impossible to secure a consumer cell phone. They were explicitly designed to collect and leak your data. When 3rd parties have access to all your data you can't secure it. When 3rd parties can push code to your device without any notice to you, at some point a bad actor will do the same. If you aren't allowed to see what your device is doing you can't see when it's being used by an attacker. If you don't even have permissions to the most important parts of your own hardware/software you can't do anything about it once you are compromised.
Cell phones are not private and they aren't secure and that makes them the worst kind of device you could insist on people using to replace their passwords.
You are concluding things from a false premise. Just because mobile phones are not zero trust devices (note that there is no such thing anywhere!) doesn’t mean they are not secure against malware. While iphones have a really good security and privacy story, I may get that with sufficient tinfoil hat-layers one might choose not to trust apple (though the only target vector would be a deliberate malware created and pushed by apple itself)
But there is also the Graphene project which runs on the Pixel phones, where you have complete control over the software. But the hardware will always be somewhat proprietary so you can’t have complete trust in that either. (And no, pinephone and alia just put closed firmware into the hardware not even allowing updating it, which is strictly worse than having it patchable)
Nonetheless, both of these options are orders of magnitudes safer than desktop OSs, as per my original statement.
Cell phones are not private and they aren't secure and that makes them the worst kind of device you could insist on people using to replace their passwords.