It's nearly impossible to talk about security in government orgs without extreme bike shedding regarding password length, changes and special characters.
It's not only about security - we have to factor out usability to prevent yellow stickers with "hard passwords".
2FA gives both usability and security and easy detection of dictionary attack against system - it could allow for even deliberately leaking passwords and then monitoring honeypots.
I can tell you working as a federal contractor or employee in an IT department that complex passwords are hard for most people to remember.
We always had to change the password for people who forgot their password to "Password" or some other easy to remember word, and then they are supposed to change it when they log on but more often than not they don't even bother to change it.
So you got administrative accounts to all of the managers because they want access to everything to monitor employees. When those accounts got an easy to guess password then crackers can get in and mess with stuff.
It isn't just people outside the organization, people inside the organization want to crack databases and steal stuff so they can sell it.
I worked for a law firm and some people in the business office had DDOS tools to take out my machine because I was a programmer. I wrote a funtion called SQlFilter that filtered out SQL control codes and tripled up single quotes so they couldn't do an exploit in SQL to drop tables or edit data. I wasn't very popular for writing that function.
It's not only about security - we have to factor out usability to prevent yellow stickers with "hard passwords".
2FA gives both usability and security and easy detection of dictionary attack against system - it could allow for even deliberately leaking passwords and then monitoring honeypots.