I think the trouble is key loss. Even more than falling back to SMS is the fact that if you lose a key and don't have a recovery key file, you can basically beat the whole thing with social engineering.
In a corporate environment, it can be a bit different since if someone breaks their phone or Yubikey and needs me to disable MFA, you can make them call you, tell you the last board game you played together or the last project you helped them with, and verify their identity. But that only works in companies of ~100 developers. You get larger than that, and you can't even do that anymore, and need to fall back to pre-set security questions.
Services like Google, Github, etc. don't have huge support staffs for their free projects, so it makes sense (for them) to have these fallbacks.
Honestly, having security and unique passwords for everything (especially e-mail accounts that get password resets) is probably more important than MFA for these big services.
In a corporate environment, it can be a bit different since if someone breaks their phone or Yubikey and needs me to disable MFA, you can make them call you, tell you the last board game you played together or the last project you helped them with, and verify their identity. But that only works in companies of ~100 developers. You get larger than that, and you can't even do that anymore, and need to fall back to pre-set security questions.
Services like Google, Github, etc. don't have huge support staffs for their free projects, so it makes sense (for them) to have these fallbacks.
Honestly, having security and unique passwords for everything (especially e-mail accounts that get password resets) is probably more important than MFA for these big services.