There isn't enough information to tell. With keylogger you can steal password every time it's used, MFA will just prevent / limit it's use. So it doesn't tell us anything about their MFA implementation and whether attackers reused session or did some other trick (e.g. time based tokens by design can be used to multiple times within the given time period or you could hijack first MFA token while it's being sent to the server and present an error; now you can use this token yourself while user successfully logs in with the second token).

Once you get password vault, it's very likely that you also get creds necessary to set up VPN. Besides, there are ways to bypass (poorly implemented) VPN and relying on VPNs isn't even the best practice nowadays.

I agree with you that a few CISOs getting sentences would be the fastest way to raise the bar across the tech sector, but that's never going to happen.

A secure MFA implication requires a second device to authorise the login. As you correctly point out, generating a code then and entering it on a compromised machine is SFA, as it treats the token as a second password. If MFA is implemented correctly, the only attack vector should be the session token.