I think it's similar to, say, serving raw HTTP instead of HTTPS. If, say, Facebook still served HTTP and people were getting their passwords swiped, Meta would be in the crosshairs.
Even though you could say a person getting their 1FA account details phished is technically "their own fault", certainly to a greater extent than my HTTP example, spending the time understanding the issue well enough to realise that it was their own fault and not BigRichCompany's fault is not high on most people's list of fun things to do.
akoboldfrying|3 days ago
Even though you could say a person getting their 1FA account details phished is technically "their own fault", certainly to a greater extent than my HTTP example, spending the time understanding the issue well enough to realise that it was their own fault and not BigRichCompany's fault is not high on most people's list of fun things to do.