It's not just the user's choice to make. They are not risking just themselves, they're risking all the other users that could be harmed by the compromise of their account. The bitcoin scam videos posted on YouTube, the fake Facebook likes, the spam sent to random Xbox accounts, the fraudulent credit card charges done on in-app purchases in an attacker-controlled app that get charged back, the Mugged in London scams sent to their email contacts, etc.
What you're saying is basically "if I don't wear a mask during a pandemic, I accept the risks of catching the virus". No. You are opting an indefinite number of other people into transitively catching the virus despite not accepting that risk.
> if I don't wear a mask during a pandemic, I accept the risks of catching the virus
No, your metaphor is rather flawed. Better one would be "if I don't see anyone during a pandemic, I do not need to wear a mask."
If anyone hacked my email account, I would certainly be harmed, with a very low probability. However, Google made sure that I was _certainly_ harmed by it: for quite some time I could not access a vitally important information, which caused me significant stress.
Apologists such as you miss the point: I specifically foresaw the situation, and disabled 2FA to avoid it. And still, Google decided that it knows better. Well, that was before I decided that I know better and deGooglified my life. Chrome->Firefox, Google.com->DDG, you know the drill.
What you're saying is basically "if I don't wear a mask during a pandemic, I accept the risks of catching the virus". No. You are opting an indefinite number of other people into transitively catching the virus despite not accepting that risk.