You are confusing this method with one time SMS. This isn't SMS, it uses the Javacard-based SIM toolkit to decrypt a challenge sent to to the mobile number. the passcode for decryption is usually a 4 or 6 character PIN number. For an attacker to MITM this he would have to both have the number assigned to his own SIM and he would also have to impersonate the victim an show up in person to a bank or a security apparatus and social engineer his way so they program the new SIM with his personal PIN. a bit harder that just calling up the service provider to say 'I lost my mobile phone, i have this extra SIM card laying around, can you assign my number to that?'

Yea, using a closed source and poorly vetted protocol for secure operations doesn't really sound like a good idea to me.

I hope this gets fixed.

As far as I know they are not relying on "gsm encryption" to be protected but are sending encrypted messages over sms.