Yeah, very surprising. Perhaps companies lose the ability to get this stuff done as they grow larger.
An even more shocking example is Transferwise, supposedly a cutting-edge star of the "fintech" scene. They use SMS-based codes, a wildly insecure form of OTP. Over a thousand employees and they cannot even implement some sort of app-based TOTP (such as Google Authenticator) to protect their clients' money.
Transferwise is quite low risk in this regard. They don't have a balance or anything like that, it's only moving money between 2 accounts in a transactional manner.