Low user opt-in adoption.

Low demand.

Licensing costs from third party authentication providers.

Increased support costs.

Early adopter status of the technology.

Skepticism as to utility (to wit, malware that captures token keys or output).

Integration with non-interactive logins, APIs, mobile software.

Don't get me wrong, I like two factor auth, but there are lots of practical reasons it's not universal.

Bank "security" = forced < 8 digit alphanumeric code that can be overridden on the phone if someone knows my birthday. I know because I hacked into my own bank account anonymously and was able to transfer funds. Best I can do is refresh my password regularly and hope nobody finds out my birthday :P (there's more to it than that, but that's the gist of it)

I also have found that carrying around cash is a lot more secure than using my debit card. My debit card has been copied, and money stolen from my account, 5 times. To date I have never had my wallet physically taken from me nor lost any money that way. Cash is compatible with every system I interface with in-person and it carries no service charge. This seems backwards to me. Banks really need to get with the program.

So long as there's an option available that doesn't require a smart phone (or worse, a specific OS), I agree completely. As a quick example, Blizzard has had an inexpensive device [1] in addition to phone apps.

[1] http://us.blizzard.com/store/search.xml?q=authenticator