Up to a point, I agree...
But the manufacturer offers 2FA, but the users don't use it, it is too inconvenient for them, so they stick with a weak password they can remember - because they use it everywhere.
You can only protect users from themselves to a certain point - minimum password strength rules etc. Checking Haveibeenpawned? That could open up another can of worms, is it sufficient to check once, when the password is set? Or is it corporate negligence when they don't regularly check the password? But the password should be hashed, so they don't actually have the password to re-check.
At the end of the day, each user has to decide for themselves what is adequate, but it is such a complicated topic, that uninformed users make uninformed decisions, which can come back to bite them.
