Probably because it's actually a very good suggestion that still hasn't been implemented. Truth is if it's not PGP-based 2FA, it's not secure. Even TOTP would be a move forward. Until then, I won't consider my account secure, even if it's insured by PGP. But security and insurance are two completely different things. Security is more important than insurance.

Example: Everyone's accounts that have been hacked due to a SPOF (in this case the password).
Problem: Server-side security that also depends on customer-side security is an unnecessary security hierarchy.
Solution: Let the users become responsible to decentralize security, implement the option of 2fa.

I don't think it should be a requirement though no, let the users decide if they want their account to be secure or not.