A pin is also required when you set up Touch ID. And restoring from backup is a different password.
I think you are misunderstanding. The fingerprint sensor only unlocks the iPhone. It has nothing to do with accessing your iCloud account. The fingerprint unlocks iPhone. Your data on the iCloud should be encrypted. . . and protected by a two-level access. Password and pin-code. That keeps creeps like these OUT.
If Apple made an error, and it is indeed possible, it was apparently in the API for the FindMyIPhone app on a computer. The API evidently failed to lockout multiple password attempts which would allow what is called a brute force attack where a bad guy just keeps guessing weak passwords until he gets in. If he knows something about the target, he can try things like pet's names and numbers like birthdays, anniversaries, etc. this particular script merely used the list of 500 most commonly passwords on the targets' user names. It got them in.
This kind of attack would be useless against password in the pass phrase style such as:
23katsCleanbarf5Xs
dawgsLess8p0lecats
9bottlesOFsnoshoes
If you were unable to retrieve a lost iPhone, you would be able to buy a new one, input your Apple ID, password, secondary code (hopefully you set one to keep the baddies out), and your new iPhone would be restored with everything intact.