It's one thing to argue in court that they should be liable because they didn't provide you with the necessary security tools (like MFA), but they all provide at least SMS 2FA these days and their apps run on iOS and Android, both of which have plenty of security features.
Fighting against that is insane paperwork and professional exposure for software engineers that do it (since if people get phished, the C-suite will point a finger at a tech lead which went against the "professional security audit").
Most of other posts here are just post-rationalization and victim blaming.
You will not have them change their policies if they do not have a good person inside, who will slowly move the boat.
I fought for audit findings because they were pissing me off at a personal level and it wirked. But the auditor did not change their procedure, just reverted the finding. Until the next year.
The people at the top are idiots because the idiots were able to secure advisory positions. They were able to secure positions because those promoting them were either tricked or idiots themselves. This pattern repeated all the way down.
So I really do mean grease the wheels. And I really mean we won't kill the beast overnight. But we won't make any progress towards fixing things if we won't look at how the problems are created in the first place. We'll only perpetuate the problems if we oversimplify things, as that's exactly what got us into this mess in the first place.
Maybe, but this is what I managed to gather through a 30-year career in tech, in three huge companies, from IT management to SVP.