It was bad that servers of a popular password manager with millions of users were compromised. The security controls were bad: a lastpass engineer had access to critical credentials in the same machine that he watches Plex open to internet (and possibly more).
It was bad because a lot of users don’t have strong master passwords, and their vaults are at risk. Also, insufficient pbkdf2 iterations did not protect well against brute forcing the vault. Sure users should use strong master passwords as much as possible. But a weak password would not have been a problem if the servers had not been compromised.
It was bad because a lot metadata has been leaked, that can be useful in further attacks.
A compromised server could also push a malicious update to the users and steals master passwords.
And none of the breaches have resulted in password loss if you used a strong pass phrase.
All the talk about PBKFD2 iterations has been about preventing loss when you used a weak password.
The same brute forcing for the most part also applies to keepass if you host your vault in ways that someone could access.
I don’t love Lastpass in anyway, but let’s not pretend that there was outright catastrophe.