It's not about what's "better" but about what users are willing to tolerate. The average user has a very high tolerance for login bullshit, repeated captchas, etc. -- if the site has a monopoly on the social network you need to access.
And yet, even Github has passwords. Even Github uses passwords as primary. Along with millions of other sites. This isn't about what a few large companies do. It's about what works for most people.
Private keys, as appealing as they are in theory, don't really work from a user perspective. The closest thing that seems to be popular is 2FA keys like YubiKeys.
