Yes. You're missing decades of the arms race between hackers and developers that has resulted in a degree of complexity that is too high for someone who isn't specifically trained in infosec.

Web devs use abstractions for lots of things. There's no reason auth should be a hill to die on.