Why not just encrypt the phone (including the apps), just curious?
I'm pretty sure the problem with brute-force hashing was fixed around the 6.x timeframe.
There are undoubtedly new/existing issues, there always will be, it's evolving s/w, but the security has gotten iteratively better since then too.
Or are you talking about like like ODog2323 is asking about, I'm pretty sure there are some good (read external reviews) apps that lock this down, similarly to the AndroidPay model.
Third-party apps also have the advantage of having a lower attack profile/surface, mostly, so they're obfuscated a bit, but in a "good way", IMO, as long as you don't convince yourself they're the be-all-end-all of security solutions...