partly because this is a bit easier to implement, so the barrier to entry is lower.
Also, no network access is required for OATH TOTP tokens to work (they are derived from a shared secret and number of 30s segments of time since Unix epoch) if you are somewhere with no mobile coverage, or are abroad and don't want to pay roaming charges. You can also get hardware tokens for this reason.
Finally, there is no guarantee the network between your mobile device and the web app are secure, and as we've seen with some nation states abusing wildcard SSL certificates, even SSL isn't necessarily a defense.
Also, no network access is required for OATH TOTP tokens to work (they are derived from a shared secret and number of 30s segments of time since Unix epoch) if you are somewhere with no mobile coverage, or are abroad and don't want to pay roaming charges. You can also get hardware tokens for this reason.
Finally, there is no guarantee the network between your mobile device and the web app are secure, and as we've seen with some nation states abusing wildcard SSL certificates, even SSL isn't necessarily a defense.