I think businesses with critical infrastructure should use hardware keys (e.g. yubikeys) to provide at least one of the factors needed to log in to a server. Using a yubikey as an authentication key for ssh is not that difficult and I do it for my own hobby stuff.
For web based stuff one can now use webauthn to provide key based authentication (in addition to whatever other factors one would like). This requires the enterprise to run up to date browser however.
Why is this so hard?!? I agree with you, but this sentence rang so true it was sad. I've been forced to work with/around unbelievably out-of-date browsers in order to install current firmware updates on systems at almost every place I've worked.