> How is it possible to have compromised password but not compromised the second factor?

Server-side (assuming weak password storage or weak in-transit encryption) or phishing (more advanced phishers may get the codes too but only single instance of the code, not the base key).

> What is stopping webmasters from using 100FA?

The users would hunt them down and beat them mercilessly?