I mean, you’re comparing very different scenarios.
If one account gets broken into and their password hashing was crap, the attacker can try the email/password combo with other services and can stumble onto another one you use.
If someone has access to your sticky note they have all your accounts.
I don’t think I’d call either of them better.
Of course, all this assumes no second auth factor.