If you’re 100% within the Apple ecosystem and don’t need to share password with others, then iCloud Keychain is good enough.
If needed, you can couple it with Google Authenticator or Authy for your 2FA codes.
And as @tgara mentioned, you can use password-protected notes for other items, like security questions for instance.
There are two caveats regarding the security of iCloud Keychain.
1. Password strength
Passwords generated with iCloud Keychain follow a predictable pattern: 4 strings of 3 characters (mixed digits, lower and uppercase letters) separated by dashes.
If an attacker knew you’re using iCloud Keychain, he/she would have an edge and the real strength of the password would then be similar to a 12-long mixed digits, lower and uppercase letters without symbols. It’s still good but not as good as a totally random 15 characters long password mixing digits, lower and uppercase letters with symbols.
There is inherent vulnerability for password management systems when Auto-fill is enabled.
It’s possible to disable it for Safari on both iOS and macOS, but then iCloud Keychain becomes less attractive because one loses the suggested password option and needs to manually copy/paste passwords when logging into websites.
Not sure if iOS 12 and macOS Mojave will be better in this regard.
Hope this helps!