The analysis is fair, but the conclusion is wrong. Nothing stops a phishing site from just luring you into granting it a lot of rights via OAuth. And if your OAuth server doesn't let your users use X or Y service, they will just sign up for it with a password anyway.

The solution is user education, not federated authentication (whether with two-factor authentication enabled or not.)