Plus, even if its secured, if hes used any type of wallet with a faulty RNG, its a ticking timebomb. Hence why theres only a few well known wallets that I trust to have a secure RNG.
Quite a few people on here who take security measures like 2FA on online wallets get quite cocky about it, but thats not enough. A good, audited hardware wallet like ledger, an audited paper wallet generator, or a wallet like electrum 2FA is probably one of the of the few ways to keep coins 99.9999% secure. Even then, there is the $5 wrench attack (google it).
Even the trezor hardware wallet had an exploit which helped some soul here recover $30k USD of coins - $3000 bounty to the hacker he paid to help him, a wallet used to secure millions of pounds in coins:
https://www.wired.com/story/i-forgot-my-pin-an-epic-tale-of-losing-dollar30000-in-bitcoin/granted, you needed physical access and its been patched, but no system is infallible. Plus i bet there are many trezors out there which hasn't been updated. And this is one of the go-to secure wallets, but very few notices it uses a generic microcontroller.
Best that people on here even those who are 'i told you so' type, should never get cocky. Even I do not, and i use multiple wallets. And now is not a time to get cocky or i told you so when some poor soul has lost £30k.
Even I, a big proponent of bitcoin security had a dumb moment and entered my ledger PIN wrong three times, making good storage of multiple backups of the seed vital. Not counting the time my other ledger wallet somehow became defective, im currently trying to RMA it with them now, but i still have used, and trust their product for years after doing my research.
2FA while good, is not enough on its own, i proved this to a friend of mine with his permission, was easily able to social engineer most places to remove it. Yes, always enable it, though.