I disagree with all the above posters except ts.


Quite a common myth, please look at the amount of cryptomarket breaches for the past years including 2018. Exchanges care so much about 2FA just because most of them are not ready to take responsibility once their resources are hacked and 2FA minimizes the risk of unauthorized withdrawals. Most code base of crypto exchanges is acquired on Indian and Russian cheap outsource market, which is very well known for bad security, thus, forcing 2FA is more an excuse for bad security than some reasonable thing.
There is a well known fact there are 2 category of Internet users, these who care about their online security and these who don't. Unfortunately second party is bigger, but these who deal with online valuable assets and not only use facebook should be aware of security and they are responsible for their credentials in the first place.

To summarize, exchanges that force 2FA admit the possibility of being hacked which means they are not confident with security of their sites. An ability to create the exchange should not be enough requirement for launching it, the ability to secure it should be most priority.