Generally the justification is "hey, we offer one form of 2FA, that's pretty good. This TOTP thing is for paranoid nerds." Bosses see it as extra work for ~no gain, what's the point? You can explain the technical superiority of the approach until you're blue in the face but they see it as just another way to do what's already implemented.
This! There is no additional security for aware users with MFA. Make MFA turned on by default, ok, but for god's sake if you provide only SMS-based 2FA, allow it to be disabled.
