So an entire class of attacks would have been removed and the attacker would have moved to another class of attacks.
As for running code in the environment there are many, many ways to deal with that. Obviously it's an easier environment to audit, but it's also much easier to control.
Yes, I don't disagree with anything you said. I am not saying MFA may not have at least slowed down the threat actor but the focus here should be how easy lateral movement was. Like you said there are many ways to get in. If the network share was treated the same as internet facing stuff though, that sounds like a deeper issue many orgs face but I am surprised that a fairly new org like Uber is not doing that already.
As for running code in the environment there are many, many ways to deal with that. Obviously it's an easier environment to audit, but it's also much easier to control.