I have about 1000 accounts in my password manager. 100 passkeys to replace them is not enough. I wouldn't feel comfortable with that as a hard limit, if it's to replace all passwords.

Many of those 1000 are obsolete (old accounts I'll never use again), but many are not. At least 30 are things I use every week, most of them financial or tech admin, i.e. not social media. I'm confident (though not certain) that I login to more than 100 accounts over a typical year, and there are accounts that I sometimes login to more than a year since the previous time, glad that I recorded the credential.

A Yubikey purchased today actually allows 100 discoverable credentials. Keys running older firmware stored a max of 25.

If you don't get old stock - wasn't there some issue recently where they were still selling Yubikeys with the known vulnerability saying that "unless you knew about the vulnerability and specifically had a need to avoid it and told them", that that wasn't a problem?

Thank you

Both are awkward in that I could reasonably expect to exceed them in the lifetime of a hardware authenticator.

The ideal number would be infinite and is in fact very achievable with a very small API modification, but alas, the WebAuthN working group didn't consider it necessary: https://github.com/w3c/webauthn/issues/1822