Two-letter domains are defined to be ccTLDs—if it's two letters, it's a country code domain. Breaking that rule would risk leaving a future ISO-standardized country unable to claim its domain because its code was already assigned to a tech startup gTLD.
The short-lived country of Serbia and Montenegro got assigned .cs (from Crna Gora - Srbija) which previously belonged to Czechoslovakia, but it seems it was never used (they kept using .yu).
I've heard it discussed as a possibility tho I don't personally know how the ISO CC assignment process works. On the other hand, we don't exactly create new countries at a rate that exhausting 26^2 combinations should be an issue, but I suppose that could change.
Fair enough. One could alleviate that concern by not opening gTLD for general two-letter registrations, reserving it for these special cases, but the core issue would remain.
They've done that a couple times (EU, UK, SU), but each of those was first reserved as an exception in the ISO standard. So that's probably where proponents of .io would need to start.
