This is not wrong but what’s really missing is cost: Meta did this so they can avoid paying people to do it. Lots of companies follow that decay spiral: your bank could shut phishers down cold by requiring wire transfers to be authorized in person but they don’t want to pay staff or risk you being upset by a transaction taking an extra hour so they don’t.

Imagine an alternate universe where big tech companies worked with various trustworthy third-parties where something like this would generate a challenge you could take to your local notary, post office, library, police station, etc. where someone would check ID before approving it. How many phishing attacks would be prevented annually by a physical presence check?

It's a tough problem, because people forget passwords, change phones, lose access to 2FA devices, but still need to use their accounts.

fair enough, but what's the actual point of 2FA if it's so easy to override?

It's a hard problem. How do you prove you own an account if you lost all proof of ownership? Especially so if an account was never tied to your real name, in which case you could at least rely on government ids.

It depends. Some like AWS take it deadly seriously and it takes a long time to recover root access to an account.