Because it is a deliberate tradeoff, not an oversight. The familiar kind of 2FA, a texted code or an authenticator app, exists to shore up weak, human-chosen passwords, and it leans on a shared secret and a recovery path held on a server. That is the exact attack surface the phrase model removes: your device proves it holds the key by signing a challenge, so our servers only ever receive a public key and a signature, never the phrase and never a password hash. Bolting a code on top would reintroduce the server-side machinery this design exists to avoid, while adding nothing against guessing, because 128 bits already closes that door.
The one kind of second factor that would genuinely add something is a phishing-resistant one, such as a hardware security key or a passkey, because the real residual risks are not guessing but phishing, malware, and a phrase that gets stolen or shoulder-surfed. On a device left unlocked, the app lock (PIN) and biometric unlock are the local backstop.
Beyond that, the phrase is the key, so back it up the day you create your account: keep it in a reputable password manager, or print it or write it down and store that copy somewhere safe. Never paste it into anything but the app itself.