I don't relate KYC with security but I said that web wallets that don't require KYC are not trusted as they get easily hacked
Sure, but what I'm saying is that all web wallets are easily hacked and no web wallet should be trusted, regardless of whether or not they require KYC.
while wallets like Xapo are apps that provide more security in terms of 2FA, ID verification in case you lose access to your wallet and plus ask an additional verification when you perform any transaction compared to web wallets.
Sure, using 2FA is better than not using it, but again, you shouldn't be fooled in to thinking Xapo is safe just because they do. Although it is an app, it is still essentially a web wallet - you access your bitcoins by logging in to their service via the internet. It is therefore hackable, phishable, and social engineerable. You are still trusting a third party to manage your money for you, which is antithetical to the entire point of bitcoin being trustless.
None of these services which you have talked about (web wallets, Xapo, Coinbase) let you hold your own private keys. If you aren't holding the keys, then you don't own the bitcoin. Storing your coins in any of these (or similar) services should be discouraged.