I'll take that bait ;-)

IP filtering is a valuable factor for security. I know which IPs belong to my organisation and these can be a useful factor in allowing access.

I've written rules which say that access should only be allowed when the client has both password and MFA and comes from a known IP address. Why shouldn't I do that?

And there are systems which only support single-factor (password) authentication so I've configured IP filtering as a second factor. I'd love them to have more options but pragmatically this works.

Defense in depth is a thing but I agree that relying on it is not a good idea.

IP filtering + proper security is better than just having the security.

There's value in restricting access and reducing ones attack surface, if only to reduce noice in monitoring.