That’s because people are stupid enough to never write down their keys and it’s better to have somewhat worse encryption compared to no encryption.

In an enterprise the recovery keys are most often stored in AD or Entra.