I don't even think that Coinbase has the liability to compensate these users. The company can just argue that the hack resulted because the users relied on weak passwords which were used on multiple websites.
It does not matter how secure or otherwise the user's password is, or indeed if they are using 2FA - if their account is hacked through no fault of Coinbase then they will not receive any compensation. Coinbase don't know if the user is using an unencrypted 2FA app on an phone without a password with their username and password written on a post it note and stuck to the back of the phone.
In this case, though, Coinbase admitted that at least part of the hack was their fault due to a vulnerability in their SMS system, which is why they are compensating users. In the vast majority of account hacks, the user would receiving nothing in compensation.