The point is that if Instagram thinks that people getting their passwords stolen is an important enough problem to offer MFA, then an abuse of MFA that only affects people who have their passwords stolen should be an equally important problem.
Instagram knows that people password spray its service regularly and that many popular accounts are often targeted for takeover by scammers. This is a common problem for them and happens regularly They also know what those threat actors do once they get an account.
I'm betting this scenario isn't one they see happening after an account is compromised or is easy to detect etc, and for those reasons the risk is different. How likely a vulnerability is to be exploited plays an important part in deciding the risk it carries.
