They've decided it's pretty much always better to close the barn doors after the cows leave.
Card fraud problems? Just promise people 'zero liability' rather than some sort of security paradigm stronger than "we told everyone they're not allowed to store the CVV."
Everything identity-theft related? Why bother actually engineering some sort of secure 21st-century authentication systems when you can just pay for a few months of credit monitoring after the inevitable data breach and class action suit.
I wonder if it would be possible to create a more proactive liability framework. Maybe stockholders would be a party with standing-- if you're still doing $known_stupid_thing years after alternatives have been documented, you're failing your fiduciary duty to investors, just waiting for an avoidable damage to the stock price to happen.
People lose their second factors which are intentionally difficult to clone. Phones get replaced, keys get lost. OTP is a more secure fallback method then calling customer support.
I can’t think of another universally available fallback method.
I don't know if every user of PayPal would agree with this strategy, even though it makes PayPal the most money.