I often wonder this too but when you go through the way steemit sets up its passwords it seems very logical too. The only way to get the account stolen is to have the active key be stolen. Yet active key is rarely used. Most often used when transferring steem/sbd or delegating SP. Beyond that everyone uses the post key which allows easy access to post and respond on steemit. So safe guard the active key and never use it unless you really have to. If the post key is stolen the hacker still can not access your funds. He/she can only post and comment.
To imagine every time I post I have to put in the 2FA code would be a hassle. To post 10,000 times means to input the 2FA 10,000 times. Thanks.
The problem with the active key is that its security makes it easy for people to misuse. Nobody can remember a random alphanumeric string of that length, so they would have to write it down somewhere, or more likely, copy and paste it somewhere. Depending on where they copy-pasted it (on their desktop), they might have set themselves up to have their account compromised.
I prefer 2FA + password because I can remember the password.
I don't think it would be a bad idea to enable 2FA on certain actions, for example, transferring STEEM/SBD would require 2FA, but you could continue posting and upvoting for the duration of your current session. However, you log out of your account completely, you would need 2FA to log back in.
In any case, I'm not proposing that 2FA be mandatory for anyone. However, it would be a great feature for those of us who are willing to take the trade-off of a little extra hassle for extra account security.
I hadn't appreciated until recently how much money people are keeping in their wallets on steemit. As this information is publicly available, it puts a target on your back to have your account compromised.