2 factor should be done on every critical site, like a banking website, primary email, etc. I personally don't bother on things like, for example, a forum about woodworking, if that were even an option.
Sadly, that's not the worst of it. Some places are still storing in clear text. I used a site once where the 'forgot password' link actually just emailed me back my password in clear text.... I emailed them right away to complain and close my account.
The sad part is I never would have known about the complete lack of security otherwise. Examples like this are why we must use different passwords for different sites/services, and use 2-factor auth for the most critical ones.