I also thought that RSA is weaker than ECDSA and why it was not selected for Bitcoin.
RSA requires a larger key size than ECC for the same bit strength thus it would be a less optional choice where bandwidth and storage are constrained (like cryptocurrencies).
All of the following offer 128 bit securityHashing Function: RIPEMD-128* 128 bit
Symmetric Encryption: AES 128 bit
Asymmetric (elliptic curve): ECC 256 bit
Asymmetric (prime integer): RSA 3,072 bit
* technically RIPEMD-128 is cryptographically weak against collisions and thus no longer offers full 128 bit security. Newer hash functions have gotten larger so I couldn't find any 128 bit hash functions which are still unweakened by cryptanalysis.
It gets worse for RSA if we ever need 160/256 bit security.
All of the following offer 160 bit security (or better)Hashing Function: RIPEMD-160
Symmetric Encryption: AES 192 bit (actually is 192 bit security but it is the smallest key size which is >= 160 bit)
Asymmetric (elliptic curve): ECC 320 bit
Asymmetric (prime integer): 7,864 bit
All of the following offer 256 bit security (or better)Hashing Function: RIPEMD-256
Symmetric Encryption: AES 256 bit
Asymmetric (elliptic curve): ECC 512 bit
Asymmetric (prime integer):15,360 bit
Even 128 bit key strength is beyond what can be brute force using classical computing. The higher key strengths are intended to be protection against cryptanalysis. For example a break which reduces the key strength of AES 256 by 28 bits has no practical application but the same 28 bit reduction on AES 128 starts to get it dangerously close to what "could" be brute forced.
