True only because if you're a criminal attacking the encryption is the stupid way to get at someone's data. A dictionary attack on stupid passwords, or phishing, or some other sort of social engineering is much better. Getting at the data though the user is almost always going to be easier than through the machine. But strong encryption is still important because it creates trust. "Even the resources of a nation-state would be insufficient to crack this" engenders trust; "only thieves willing to shell out for some FPGAs can crack this" does not.And the thing of it is, weak encryption is adequate for most people. They're not looking to protect their information from the NSA, they're trying to keep their credit card info safe from their children. They want to know that if they drop their phone on the street, they have a few hours to wipe it remotely before someone hooks up a dongle to it to brute-force the combo. The type of encryption and the methods of decrypting it aren't really at issue.