I'm not saying it's the right way to do things, just that it's not unreasonable. Corporate infosec teams just usually aren't staffed to deal with this sort of issue. At best they can pass the user to regular support, or pass the issue on to whatever engineering team is responsible for third-party 2FA. And that's where the issue lies: if Twitter's regular support wasn't completely useless, we wouldn't have this problem here.