this is exactly why 2FA with SMS is not secure at all. If someone really wants to get into your account all you have done is added one extra step where they need to steal your phone account and then they steal your other account. It has been shown how easy it is to steal someones phone account and transfer the number to a cheap burner phone or online service. This also kills your cell service so unless you have another phone to use you cant even call to secure your accounts so the attacker has plenty of time to break in to all your other accounts
Absolutes are the wrong language. It adds a significant burden (steal the user's phone account), which if nothing else requires individual attention, which drastically changes the economics of an attack vs, say, mass automated attacks using leaked passwords checking for re-use. Sure, you and I might have unique randomly generated passwords for our accounts, but not everyone is so careful, and SMS verification can and does save many an account.
