For a lot of people…it comes down to securing an email account. If an attacker gains access to that, they can figure out who you do business with and perform password resets at those sites. If the site 2FA allows for a code to be sent to email…then that would bypass SMS and App based security anyway.
That’s my biggest beef with 2FA. If I don’t have my authenticator app, it should take a lot of work and/or several days to get into my account. Otherwise, what’s the point of the authenticator app?
The backup/recovery method adds the work in the form of gaining access to a separate service like email or phone number. It also is just shifting responsibility of authentication, but not having a quick way to recover access means a bunch of support requests that costs money and results in unhappy users.
Some services do require a certain period for recovery or allow users to completely disable recovery.