The only two from the list I use are Xapo and Blockchain.info.
Both of them provide 2FA verification without the need of an app increasing somehow the security provided by those wallets.
The app increases security because you hold the private keys, not some web site. A web site can use 2FA which is great but you still have to trust them to not lose/steal your private keys.
Yes, it does happen. Bitcointalk is full of threads from people singing the blues about getting ripped off by online wallets.