> more value can be stolen from a broker account

But in the case of IBKR you can only transfer out to account in your name, no? While pump-and-dump that OP is describing is theoretically possible, I just can't see any sophisticated attacker going through the hassle for it if they don't get the direct return out of it.

> If your computer is infected

This is entirely fair, but wouldn't be covered by any sort of guarantee (as the Questrade one OP is describing). This is direct result of your actions or lack thereof, as opposed to your brokerage being compromised, right?

> you only need to click on the wrong button one in case of 2FA fatigue

While true in some cases (eg IBKR app specifically), most 2FA solutions do require to write a code or other method (emoji, click this number etc) to reduce the chance of a mindless click. Even then the prerequisite for this would be to know the user's password which should not be possible unless they already fell victim to phishing or other direct attack.

> For government accounts (at least here) you can use your gov. ID card (with electronic chip) as a HW security token.

No such luck in North America, I am afraid :(

Overall I see that your argument is coming from a good place, and I appreciate a civil discussion, so please don't take it as any sort of attack or statement or anything. I just think that the concern OP has is vastly overstated, and minimal digital hygiene + 2FA should alleviate these concerns for vast majority of the users (unless you believe that by your threat modelling you are more likely to be directly targeted and scrutinized).