Yeah, but say I am an attacker doing some kind of brute force password hack, and I have a certain number of successes.
Given the funnel there, it might well be worth it for me to put some energy into figuring out who the person at the other end of that account is. Phone numbers aren't secrets.
Yeah, agreed. But again I'm not arguing that SMS is the best second factor, I'm arguing that (used correctly) it's better than no second factor, which is what it's actually competing with in the real world.
Generally, I think services should offer TOTP, email, and SMS, and strongly encourage TOTP. But not offering SMS just means some segment of customers won't have a second factor at all.
Given the funnel there, it might well be worth it for me to put some energy into figuring out who the person at the other end of that account is. Phone numbers aren't secrets.