Most password manager hacks don't attack the encryption or password themselves (my password is very long), they find/create a side channel. For example:
keylogger attack to grab password manager password
social engineering to reset a password
attack the server to intercept passwords
Every secure system can be defeated, but it's a lot less likely that two secure systems will be defeated at the same time. So I keep my passwords and second factors separate. It's unlikely that either will be compromised, and incredibly unlikely that both will be compromised at the same time.