Even with only 10 words (which are chosen from the BIP39 word list, which is 2048 words long), a hacker would need to test 2048^10 = 1298074214633706907132624082305024 combinations to crack a passhprase. This would need some time. But there is no time limitation after some trials, because it can be done offline without an internet connection, for example on a graphics card.
But I think the main problem is malware, which just cracks the password and then gets the passphrase, for those cases where the wallet is empty after some time. One major problem of the Yoroi wallet is that there is no check for the security of the spending password (except it has to be at least 10 characters). Someone could just use 1111111111 and the wallet accepts it.
There are huge password lists and cracking programs which try all kind of known schemes, like one word followed by a number, all combinations of two words with all combinations of a few letters replaced etc. So if you don’t use a purely random spending password, and given the fact that for example 30% of all U.S. PCs are malware infected, you are screwed. The malware downloads your wallet, and cracks the spending password offline. I guess this is the reason so many coins got stolen. And I guess the dark figure is much higher, because not everyone reports here in the forum.
Only safe solution are hardware wallets. There can be still problems with replacing an address in the clipboard etc., but the hardware wallets have displays as well, where you can verify it, and I haven’t heard so far of an attack where an address is changed in a browser window, e.g. if you want to send it to an exchange. But might be a good idea to verify the address where you send lots of Ada on 2 different computers / mobile phones.