The problem with hardware authenticators is compatibility across devices. One job I worked at a while back used Yubikeys, which were great... if you were logging in from your work PC. If you need to access your work email from your phone, that wasn't really an option without getting an exception made to your account, which required IT doing a manual reconfig of your account. And obviously they were reluctant to do that, because that just opened up more security risks that the Yubikeys were meant to prevent.
Software authenticators are much more convenient for the average user, because getting a code or approving a login via push notification is much simpler and works on nearly any device. And the willingness of the average user is a MAJOR factor in data security. If your security protocol is too difficult for the user, they're going to develop bad habits by taking shortcuts. They'll disable security systems, leave their authenticator plugged in even when they're away from their machine, etc.
Sometimes the less technically-secure option is actually more secure, due to the human element.