TOTP isn't phishing-resistant, which is the whole ballgame. I've had the job of working on authentication for highly-targeted mass-market systems, and code-generators basically don't work: they raise the bar on phishing attacks to a level phishers still easily meet.
TOTP and SMS 2FA prevent credential stuffing attacks, which is very valuable considering how bad people are with password reuse and how many breaches with plaintext or weakly hashed passwords there have been.
Yes, but other authentication factors also prevent credential stuffing, as well as phishing, which is probably the most important problem in authentication.
