MFA isn't solely about "the user had poor security posture and can't be trusted". It's about what happens even if the user's info is leaked by a information breach of a service. I.e. "having the login info for the service isn't enough, the user must be notified and approve of the login via a separate factor".

That's why MFA is referred to as defense-in-depth rather than being a better password.