The management tool at the Apple ID site on the Password and Security's View History section lets you revoke these passwords, too: one at a time or all at once. And whenever the main account password is changed, all the app-specific ones die a sudden death, too.
They do bypass the two-factor benefit, however, and that's a concern, email most of all. Apple's 2FA prevents access to its own account information for confirming a password change. But with any single-factor account you had elsewhere for which the registered email is your iCloud one, a third party who gains access to an app-specific password would be able to reset passwords at other services.
Now, the nice part with most of this is that you aren't bugged that often, if ever, after going through the fuss of setting it up, which is what makes it possible for you to help others (family, friends, colleagues, and more), as you won't have an ongoing burden of support. Setting up trusted devices takes a few moments. Generating necessary app-specific passwords, a few more, depending on how many different email clients, calendar apps, and contact managers you use that talk to iCloud.
Most people tend to use a single computer or set of computers, and Apple will let you use 2FA the first time you log into iCloud.com on a given browser, and then just a password when a session times out thereafter.
Two-factor authentication doesn't solve security. There are many points of entry for exploitation, and more being discovered (and patched) all the time. What it does is prevent a butter knife from picking the lock on your front door — and usually preventing a sledgehammer from knocking it down as well.
Sign up for CIO Asia eNewsletters.