Why is 2FA so critical it’s worth proactively breaking the user? What’s the even more bad thing that would (not could) happen to the user if 2FA was not enabled?

Password database leaks turning into spam/proxy farms of very well aged accounts.