You'd be surprised how many routers have shipped with WPS on by default, and without rate limiting. Your 25 character, randomly generated password isn't much help when you can simply try about 11000 WPS PINs and have it spit out the plaintext key to you :)

Even if it is turned off the router can still be vulnerable. Reaver use to be the go to script for this but now bully has taken over.[1]

[1]https://github.com/bdpurcell/bully

Not to mention OpenCL-accelerated WPA handshake cracking can still pay off reasonably.

Definitely agree. I've audited my fair share of WPA captured handshakes and had a lot of success. People choose shitty passwords.