Exchanges have been hacked too. There were many who reasoned "I'm not a security expert, I'll probably be safer if I entrust Mt.Gox with storing my coins, since they obviously know what they're doing" and lost everything as a result.

Personally, I find it absolutely mind boggling that a majority of exchanges allow users to make deposits and trade without enabling 2FA first. So many thefts could be prevented if more exchanges dared to inconvenience their users by requiring 2FA to be enabled as a prerequisite for doing anything else.