YubiKey 4 series, a USB security key
Developers, and not just them, belong to a “threat model” of your company (and your future). Even an office manager can use a password manager, we've tried that in one quite successful start-up building tools for API developers, owned by Oracle since 2017. Office managers and assistants have also access to quite important things and information, they can also send an email to their bosses, asking to pay this random invoice.
However, password managers do come with a risk but it's still much lower than if anyone reuses their password for multiple services. Password-Managers-as-a-Service are often a target for attackers (probably just like any other service), but with a good design it doesn't really matter that much. LastPass was successfully attacked several times but the attackers made it off with just encrypted blobs. They would need respective master passwords to unlock these and get to usable passwords. Your master password (or better a passphrase) should really be strong, long, and random, but on the other hand, it will be the only one, or one of just a few, that you'll have to remember.
But take OneLogin and their subpar design. OneLogin detected a security incident in May 2017 and they “cannot rule out the possibility that the threat actor also obtained the ability to decrypt data”, meaning the attacker had access to encryption keys as well, eh. You may have heard about OneLogin too, they acquired Portadi, a Czech company, in 2016.
I hear you, this cannot happen to you because your developers are the best. Of course they are, but it has also happened to a Mozilla developer, a privileged user, who had access to security-sensitive information such as a description of yet unpatched (at that time) security issues in Firefox. This user had reused their password with another website, and the password was revealed through a data breach at that site. Somebody had obtained the password and then a particularly nasty Firefox exploit was found in the wild in August 2015. The code was exploiting a vulnerability which was not patched back then, downloaded some development-related files which often contain passwords, and left no traces on victims' machines.
Think about it for a second, and do something. Thank you!