One problem is that WordPrss sites are often built by small web designers for clients with limited computer skills and very little patience for complex passwords, much less two-factor authentication.
For 2/3 of the WordPress sites I administer, I use a very long, complex admin password. The other site is for a group that wanted multiple admin accounts, but the people who use these accounts have a lot of trouble with complex passwords. After several emails telling me that "the website doesn't work" because the user had trouble with a long password with special characters, I gave up and switched it to an easy-to-remember password with just uppercase and lowercase letters.
For 2/3 of the WordPress sites I administer, I use a very long, complex admin password. The other site is for a group that wanted multiple admin accounts, but the people who use these accounts have a lot of trouble with complex passwords. After several emails telling me that "the website doesn't work" because the user had trouble with a long password with special characters, I gave up and switched it to an easy-to-remember password with just uppercase and lowercase letters.