Its actually pretty secure... even identical twins get recognized as different individuals....
However, in the sort of situation where someone wants you to unlock your phone... You really can’t stop them.
They claim its 1 in 1,000,000 chance someone else would fool it... and a standard 6 digit code by pure guessing is obviously 1 in 1,000,000 as well, so its not so much any less secure from a random attack by someone trying to open the phone... but like this story shows, there is no privacy expectation of your face.
The one-in-a-Million figure is irrelevant. The vulnerability is that people will use your own face to unlock your phone against your will.
Heck, Ive been in enough fights where somebody used my face to unlock a door. It would be much less painful to have them use my face to unlock a phone.