The goal of SPID (the authentication system) is to let more citizens access to government services without going physically going to a place, and this goal is kinda working right now. During Covid, many italians asked for social welfare from their mobile phones, among other bonuses.

For how it is designed, there are a dozen companies that offer this service. The citizen can choose the one they trust more (there are some small differences between them; some require to pay a small fee; others require you to physically go to an office to be recognized; others offer you an app to login through a QR code...) BUT they are all required to implement industry-standard security. At one of my past jobs, many years ago, I had to implement this login system in a public portal. It was a mess (the technical specification was on a PDF written in bureocratic language) but shortly after a new team overtook the project and created a proper website with SDKs etc. To this day, the only known attacks to SPID were Phishing attacks, that require the user to do some dumb action on their side.

because of the certificate inside, the id card without the pin is worthless; having the identity split from authorization is an absolute win. compare and contrast with the SSN number.

also, the government already owns all my data, from birth onward. the authentication system makes it so forgery is much harder from the officials themselves, so this protects me from that as well.

Your picture, e-mail and telephone is mostly public (social media, etc), and the government would have your ID card information anyway - I don't see how this is worse?