The average person doesn't understand the security issue and would view using a secondary auth method to be a hassle. Especially when they just want to log in to Windows to play a game or check Facebook.
Does it even matter, if most people's passwords are "password" or "12345"? Does it matter if people are falling for the fake anti-virus malware popups? I think hackers would be much more productive if they simply sent out an email to all Hotmail users and said "Microsoft will deactivate your account in 7 days unless you reply. Please reply with your login info to keep your account active."
Finally, the Gizmodo employee wouldn't have been hacked at all if Apple support hadn't reset his password over the phone. The blame lies entirely on that Apple tech support employee.