If they can inject server code, they can bypass 2FA entirely. They don't need your 2FA code they'll just skip that part of the authentication.
The same goes for passwords, but with passwords there is the potential of additional value on other sites that haven't been compromised so those are always worth collecting.
This particular scenario involved injecting server code in 2015, then waiting until 2019 to use the credentials they collected. They would not be able to bypass 2FA here.
It’s true that 2FA wouldn’t protect you from having your account compromised immediately, but that’s not what happened.
The same goes for passwords, but with passwords there is the potential of additional value on other sites that haven't been compromised so those are always worth collecting.