In an article from 2018 it showed LastPass had major vulnerabilities in each year of 2014-2017. Similarly Keeper in 2016 and 2017. The list goes on, most of these were white hat attacks but each case mentioned the vendor didn't detect the vulnerability nor the unauthorised access so its plausible that others could have used the same route before the ethical hackers announced the flaws after the vendor had had time to fix.
Yep there have been a few bugs along the way - to my knowledge these have all been related to some corner cases in the browser extension which could allow a malicious website to access a past password under certain conditions.
If you really want to go to extremes you can store a partial password in a password manager - e.g. store a 50 character random string but leave a common part out of it:
[50 random characters] + avf0rums!
then even if your vault is compromised due to the advent of quantum computing or something, your password is still not exposed.
Sure, a password manager is not a requirement - if people can manage dozens or hundreds of strong passwords in their head that is the ultimate security - but many cannot.
The critical security feature is two-factor, which means even a password on its own is of no use.
In any case I'm not sure we are seriously comparing potential exploits in a password manager to entering a non two-factor-secured payment-capable password, such as Amazon, into a shared computer and probably even shared Windows account in a Library?