this sounds familiar
"Microsoft solution that relies on using either a smartphone app, texts to a mobile or e-mails to a non-corporate account. My issue with this is that very few users are issued with company phones and I'm not willing to use my personal device for corporate stuff."
Uh, are you me? You've described my $WORK situation, ticking all the boxes.
Aside from the unwillingness to fund some kind of hard token MFA device for o365 access (I assume the reluctance is financial, but IT and the big bosses aren't saying) the ultimate goal here appears to be coercing the userbase entirely onto Windows desktops with Outlook.
The list of caveats and disclaimers about things that won't quite work right with ios, android, and heaven forbid, Linux, is daunting. And anything which accidentally works today, probably won't work right "later" when some new app control mechanism or whathaveyou is implemented.
So when you read about the sorry state of affairs wrt IT security, perhaps some of the failure to embrace and accept it has as much to do with how (poorly) it's sometimes implemented, because it ends up feeling more like punishment and vendor lock-in and much less like "protection".