For a lot of people…it comes down to securing an email account. If an attacker gains access to that, they can figure out who you do business with and perform password resets at those sites. If the site 2FA allows for a code to be sent to email…then that would bypass SMS and App based security anyway.
The backup/recovery method adds the work in the form of gaining access to a separate service like email or phone number. It also is just shifting responsibility of authentication, but not having a quick way to recover access means a bunch of support requests that costs money and results in unhappy users.
Some services do require a certain period for recovery or allow users to completely disable recovery.