Couldn't agree more, and came here to say this also. I understand that they are driving forward with new features for developers, but security cannot be taken seriously enough when they are hosting organisation's private code. I cannot take them seriously until they add this feature.
I just don't get the reticence to implement it - I added 2FA to a customer facing app we produce in less than a week - and most of that time was coming up with a nice/pretty setup workflow to enable it on your account.
https://bitbucket.org/site/master/issue/5811/support-two-fac...