Written down can of course be (in a secure way) online, but that's a single point of vulnerability, but store it in a way custom and only known to you and it's not an obvious target. Unlike password managers.
Corporates (lack of) security is very alarming, especially the way default passwords are emailed out in some places and no one changes them, then they're used as the same password for lots of systems.
Interestingly NIST are also saying SMS for two-factor auth is also out.