[ahelwer]

It's not quite so cheap for a site to implement 2FA. It surely increases support costs by quite a bit. Also possibly weakens security, because an authentication system is only as secure as its recovery process.

With email + password, account recovery is simple: you send a message to the email address. With 2FA, things get very complex very quickly and there isn't any standardized approach I've heard of. Most involve waiting a week or so.

The gold standard would be everyone owning two U2F keys, keeping one safe as backup. Don't even want to imagine what the recovery process would be like for that system if someone manages to lose both keys (which will eventually happen). Probably would involve mailing a new key directly from the company to your address.