Just a little note here:
Information security is a vast topic. You need to consider technology, humans, and processes. You also need to consider measures to identify your assets, detect malicious activity, respond to attacks, prevent attacks, and recover from attacks.
In the best case, you have your custom mix of security controls.
For instance, a firewall with a strict rule set may prevent some attacks when you continuously improve its rule set. However, a firewall can’t detect all malicious activity. For this, you need an intrusion detection system (IDS). However, an IDS is based on signatures (similar to anti-malware software), so you need to continuously update its signatures. Then, there are honeypots that can detect previously-unknown attacks, but you need to derive new attack signatures from malicious activity that you recorded. This knowledge from honeypots allows you to react to attacks. Moreover, you need current backups and recovery tests to successfully recover from attacks that couldn’t be prevented or detected.
Deploying some technology without a plan adds some security, but it is basically like replacing the lock cylinder of your front door while you leave all windows open.
Besides technology, you as a human need to be aware of new attacks and your security controls. Keep in mind that social engineering (manipulation humans by exploiting their human characteristics) perfectly works without any technology. SE isn’t only phishing.
Finally, there are processes. Things need to be updated, revised, documented. Furthermore, you need to behave in certain ways to ensure that your security controls are used effectively.
Hopefully, you see that single products like Bitwarden vs. Lastpass doesn’t matter. You need to look at a much higher level.