It's a different sent of protocols, reducing the surface area of successful breach strategies. If you simply added three digits to credit card numbers but maintained the same protocols on the credit card numbers, it wouldn't improve security nearly as much. There's fewer tactics that will successfully get you N+M digits those that would get you the N digits. Most 2FA works the same way. It's not like the six digits of Google Auth add security, but the protocols around them.

To put it another way: the value of those extra three digits is that they are indeed "more secret". They exist on far fewer hard drives.