Do auditors care? All the ones I've dealt with just want you to log everything and rake your face over the hot pavement for their stamp of approval, actual security be damned. I'm surprised they even require 2FA at all.
Our auditors were perfectly willing to treat FIDO2 2FA as a specific mitigation against phishable credentials and whatnot. Really depends on your auditor/ the case you make.
My point is the other methods should not be considered acceptable as 2FA because they are phishable. But yes, I'm sure there are competent auditors (as opposed to the ones who are financial auditors from accounting firms and completely out of their depth in matters of security).
The problem is that unless there is a big stick, like a cybersecurity insurance company saying "unless you use U2F keys for 2FA, you are not covered", there is no incentive to change.
