2FAs are mostly optional for exchanges. They can allow the account to keep trading and do all transactions but for most, they're requiring it as a step to increase the protection of their users and that's why they're forcing each of us to do that even for SMS, email, and/or authentication.
According to my own experience, most, if not all, reputable exchanges enforce 2FA, especially on withdrawals. Even if an exchange makes 2FA optional for logging in, it makes it mandatory to request a withdrawal. But we should remember that securing our accounts is our responsibility. So, we shoudn’t rely completely on them.
I agree, that we shouldn't rely on them and these security features should be a norm even if they are doing it optional. It should stick with us for whichever platform we are in. It's not a problem if someone uses 2FA apps and then has the email confirmation as well, I've got that in some exchanges because that's how it goes and I feel fine with that to secure my account before I withdraw.
To be more smarter than scammers, then we must be able to know what are the security measures expected of us to take, how to avoid being a victim and having the ability of discerning between what is real and fake, we have to discipline ourself, if we truly want to see this happened, we cant afford to take our security and privacy matters with levity hands, there must be a full awareness of scam and we must maintain or stick to the safety precautions, if we don't give the scammers room to gain access to us, they might never find a means of attacking from the first place, majority of their victims are the ones at fault, because they lack what it takes to avoid scam irrespective of the technique used against them.
Security measures are there but sometimes we slide on those because of not being careful. I agree that being disciplined to ourselves is a must because there is no one out there to save us. We have to outsmart the smart scammers.