Since your fingerprint (or face, or (presumably) DNA) is stored as a salted hash in the Secure Enclave of the phone, unreadable and unsynchronised with the cloud, I’m not hugely worried that this represents a security loophole. It might be a security hole, of course, but it’s insignificantly small compared with the massive security error that social networks represent.
Through tools like Facebook, criminals can fairly easily work out your mothers maiden name, your place of birth, your real birthday (assuming that you haven’t been foolish enough to explicitly tell them), and may even in some cases divulge what you’re spending your money on, when and how much.
With that little haul a malfeasant should be able to unlock your life without going to the inconvenience of nabbing your phone first. I think that putative problems with (correctly implemented) facial and fingerprint recognition are only worth worrying about once the far bigger security issues that millions face everyday have been resolved.