What's really "unfair," as you put it, is trying to excuse United's lack of 2FA because of some hours spent inflight versus the 8760 hours in every year.
What
exactly are you worried about? Hacking the corporate loyalty database is far more lucrative than hacking an individual airline app.
You could always skip the app and website and use the phone.