I can see why this is an unpopular opinion for IT administrators and security responders alike, but I totally agree. Centralised authentication means if an attacker can compromise the SSO layer, they've compromised everything. This is far less desirable than an attacker having to compromise each system individually.
I think most often these days the users themselves are the centralized point of entry for attackers—a focused attacker is not necessarily going after every application a company uses and trying to breach it individually, but instead trying to compromise a user who has access to all of them.
So in that scenario, centralizing auth is desirable because you don’t have that user holding dozens of weak passwords, and you can monitor access and use heuristics to lock the user out of everything automatically if, say, they access the SSO portal from an unexpected IP. You can also always set things up to require re-auth or MFA whenever someone actually signs into something through the IdP, as an extra layer on top.
