To summarize, exchanges that force 2FA admit the possibility of being hacked which means they are not confident with security of their sites. An ability to create the exchange should not be enough requirement for launching it, the ability to secure it should be most priority.
I'd must agree on that. 2FA is only useful for people who really need it, these who don't use same passwords on all sites and have security in mind are safe, the rest is a responsibility of the exchange.
Having good password hashing is quite enough to protect user accounts even after database leak, unfortunately many players still choose simple algorithms such as md5 in order to increase authorization code performance.