This has always boggled my mind - If you don't trust me to pick a decent password and maintain my own machine, why in God's name would you trust me to write code or deploy/maintain company infrastructure?
1. Even if they trust you, they might not be willing to extend that trust to non-technical staff (or even non-infra staff) and having a global policy is the easiest. 2. Even if they trust you, your employer's customers definitely don't, and a lot of big contracts will have security exhibits that explicitly require MFA if you're handling their data.
They _don't_ trust you to do that stuff. Not unilaterally at least. In a healthy system you generally aren't able to change anything without sign off from multiple other people.
If I have a group of N people who I individually don't trust not to use mike1234 as a password, I wouldn't trust them as a collective either - at least until N gets impractically large.
Also the argument they make is, they don't trust every single component of your machine, and want to mitigate the damage caused by an attacker or malware breaking in and impersonating you.
Nah, it's not lack of trust, it's just compliance and plausible deniability.