People really don't understand 2FA codes. Imagine trying to tell thousands of students to get the code from their 2FA app (Which app?). What happens when a student goes home over the summer and gets a new phone, but doesn't transfer the app info? Duo offers a level of management that other apps don't. If a student is struggling, you can send them a text with a direct link to the app they need to download. You can temporarily bypass 2FA from the Duo console. For the longest time, it was the only 2FA app that offered any kind of management. Okta has it now, too, but most higher ed already has a different SSO provider, so switching to Okta just to get 2FA management (And I'm not sure it's as good as Duo's) is probably an impossible task to get off the ground.
Okta offers a similar feature. So much easier to click a confirmation on my phone than to scroll through dozens of 2FA codes (some of which might be orphaned).
This implementation sounds better. Though for me I still have to manually input a code from the Duo app (that doesn't auto refresh after code entry since it's not time based).
Having the do the manual entry and the lack of refresh is a choice of your security team/administrator. Duo supports push notifications and auto-refreshing TOTPs.
Indeed. They are generally understaffed and salaries are very low so they're very lucky to get any "1x-5x" developers who stick around long enough to understand the infrastructure. Outsourcing as much as possible makes a lot of sense in that environment, it does create major single points of failure but "roll-your-own" would likely fail more often anyways.