They shouldn't make 2-step mandatory, but they should definitely have it defaulted to prompt the user to set it up when they create their account, or when they're switching to PS4 (or any new PS device), or they could've prompted every single user to do so when they actually enabled it.
It's not like two-step is something people are just glossing over; a lot of people don't know it's even added, other people don't realize that Sony's security is so lax that it won't inform you about sign-ins from new drastically different locations.
Basics for 2013 security:
-New sign-in locations should send a notification
-New console sign-ins should send a notification
-Multiple Sign-In attempts should send a notification and temporarily lock further attempts until it's rectified
-Two-step should be expanded upon and users should be prompted at account creation. Security Code Generator Apps would be great, I use one for my google, battlenet, steam, uplay, origin, xbox etc etc..
-You should be able to review Security Activity to see sign-in attempts, incorrect passwords, brute-force attempts etc etc..
And holy shit, support shouldn't be closed on weekends. wtf.