Once again, this depend of what is the sensibility of the accessed information behind the authorization, the scalability of your server and your use-case...
1. First consider that a lot of junior devs are more than happy to build an authorization mechanism for their single page blog and i don't think this is wrong to offer them accessible knowledge for a working solution. They can very well deep-div the rabbit-hole later on....
2. You would be surprised of the amount of way there are to hack a session base authentication, but beside that you would be surprised to discover than most of the hacker doesn't even look to the auth to hack a system. If you were to stole a home, would you rather go inside from the opened side window or take the reinforced front door and force it?
3. I don't know much of SAAS using sessions. If you want to validate your argument why not adding some strong references?