This is clearly not true. Having a second factor helps maintain security in the situation where your password is compromised (phishing is just one scenario). It isn't perfect, and can itself be defeated. However, compromising an account with 2FA is demonstrably more difficult than one without.
While there are scenarios where 2FA can maintain security where a password is compromised, it's absolutely true that for a large swath of practical threat models, almost the entire benefit of 2FA comes in the form of assigning the shared secret instead of letting the user pick a weak and/or widely-reused password and the "having a second factor" bit doesn't really factor into the picture in any meaningful way.
These weaknesses are implementation specific. FIDO2/U2F is unphishable, requires proof of presence, and is a significant security win over a strong password.
That's a great initiative, but I expect the maintainers who are interested to be the ones who've already turned on (some lesser form of) 2FA voluntarily.
Anyone who is turning on 2FA because of this requirement is going to select the most frictionless method of complying with the mandate. Which will not be a hardware key.
I'm not calling it a weakness. I'm saying that the alleged advantages of the 2F in 2FA don't normally matter to people who just want to their shit to work.
If they can phish my password, they can trivially phish my OTP as well. The one thing I can see actually protecting against that is a physical hardware key, but that's a lot of extra inconvenience.