I've done user accounts a fair number of times in the past. There are some footguns but it doesn't seem so bad with existing libraries and frameworks.
Why do people pay for Auth0, then? Is it because dealing with SAML is annoying? Or maybe it's an easy thing to point compliance folks to, since it's an established company/product?
It is same as why people pay for anything. If it is not your core value proposition why not pay someone else to do it for you.
You pay for time and expertise. Not everyone is a developer in a business world. Also to transfer reaponsabilities to a third party.