Install system malware - wait for next login (which will be soon, since the short session is forcing repeated logins) send session token to myself.

Done. Now I have an active session. Don't give a fuuuuck about that 2fa device.

This is a bit like saying, "there's no point in having a lock on my door because somebody in my house can shoot me". The fact that an outer ring of security can't protect you from people who are already in an inner ring doesn't invalidate the outer ring.

If you already own somebody enough to install whatever malware you want on their computer, then sure, session lengths aren't going to stop you, but they're also not intended to. Session lengths are intended to stop the guy at the coffee shop who grabs your computer when you go to use the bathroom.