I'm fairly sure the reason for the lack of 2FA is the usual "I'm too important to be inconvenienced" screwup. Where C-Levels demand that they have full reign, full access and maximum privileges, but also can't be assed to agree on bare minimum security features because it's "too complicated" for them.
Let the users jump through all sorts of ridiculous hoops to access their locked down accounts, but I'm far, far too important to be in any way inconvenienced (hell, remembering that 8 letter password that doesn't conform to any password standards we require everyone else to follow) when I want to access my all-access account.
Which I don't use, because that's what my secretary is for. But I need to have it. Because I'm important.