When symmetric encryption is used, usually at least 256-bit key is generated. That corresponds to 32 bytes -> 32 chars (which is quite generous, as most users will never use more than ~70 of the most common chars from the 256 in ascii).
How secure can then be services like Pushbullet that use your password for encryption? Even if they don't steal your password from client, shouldn't it be fairly easy to brute force the key on server if needed?
Yes it is weaker and it has bigger risks
If a background service uses your password as an encryption key then that means they have an on demand access to your password. This is a bigger risk (you mentioned it too). It is not uncommon for people to have the same password across various services. Pushbullet doesn't actually do that. It derives a key when you enter your password and uses that key for it's encryption.
If a system uses a user generated string as a key to it's symmetric encryption scheme, then it would likely be a smaller key compared to say a random 256 bit key. Not only do smaller keys have a smaller search space for brute force but user generated keys are also susceptible to other ways of attack like predicting the modification or same key as some leaked key.