The big one is if my system (using Auth0 or another 3rd party provider) is compromised, none if the user passwords are compromised. I simply need to invalidate all tokens (through Auth0) and tell Auth0 to change my signing key.
The flip side is Auth0 is 100x more the security target than your site. Are they more likely to be compromised than your site? You can make arguments, but I've gone with them.
The other big Auth0 win is simplification of OAuth with third party providers. But if you're going to stick with username/password, don't think your site is much of a target, and think security first in your server's design, I'd roll my own