Yes, of couse 2FA is theoretically better. Until facebooks leaks half a billion phone numbers + account information. That is a vastly more serious threat.
I don't know a single case where TLS was compromised from an IMAP client. Perhaps if it is 15 years old? I hate this industry so damn much. People should be homeless, not security advisers...
You're thinking of the wrong threat model. They're not concerned about passwords being stolen being in transit, but rather using the IMAP endpoint for credential stuffing attempts. An IMAP login attempt contains very little zero metadata, so it's very hard to judge whether it's legitimate or not. With a web login you can get tons of stuff to judge the authenticity of the user, eg. fingerprinting.
