I think there’s lots of reasons. I may or may not have work/worked for a bank. Typically, they use HSA’s tied to large range systems like z/OS that generate the seed. The seeds themselves are secure and are not really prone to time attacks like authenticator apps/soft tokens sometimes are.

Its a stupid trade off tbh. However, I think its less likely for people to call in frantic because they can’t get into their bank account because everyone are more likely to retain access to their phone and/or email than for the bank to support a 3rd party authenticator app that may or may not be backed up from another 3rd party software.

Also, over time, the authenticator apps can get off sync by a few seconds. That’s why its typically offset by 30 seconds when you set it up on most sites, which lessens the likelihood of it getting too off sync for it to work. However, it widens the gaps for time based attacks to bypass 2fa altogether. RSA Securid, I believe, is only like 3 seconds by default but don’t quote me on that. That’s why you gotta replace the hard tokens for those every 60 months. The battery in them slows down the clock and it gets out of sync.

I could be wrong, but i believe every time you shut your phone off, technically, gets your soft tokens out of sync ever so slightly too. I once had an authenticator app on a phone where the battery died or something that prevented me from turning it back on. It took like a month or two before I could get back in it. By the time I did, none of the soft tokens worked anymore because it became offset by more than 30 seconds.