I sympathise with you losing your funds, but the whole idea of 2FA is that it proves (at least with high confidence) that you have physical possession of the sole authentication device and therefore you are likely to be the rightful owner of the account. [2FA isn't perfect, of course. Email 2FA is useless if a hacker already controls your email, and SMS 2FA can be captured by porting your phone number to new account.]

A different password for each site will not help if you have something that has logged your keypresses, or nabbed your browser's password file. Anyone who has a copy of your "virtual" credentials can log in, from anywhere in the world. That's what 2FA is intended to prevent.

I do think you have raised a valid point about failed logins. Multiple attempts should lock out the account, temporarily at first, for a longer period each failure, then eventually semi-permanently. It does sound like you may be making some assumptions about brute forcing, though.