While you are right, you're missing the real problem. SMS 2FA is a systemic threat vector for identity takeover. Buy out one employee for $20 and you have access to take over any one of millions of users. Additionally, the victim won't figure out there was an attack right away. And the attacker can live anywhere in the world.
If someone wants to rubber hose me, they have to physically come to my area and that doesn't scale except for high value targets. Tolerating SMS as 2FA is absurd with built in passkey capabilities backed biometrics/code built into a device you can buy for $100 and already carry with you 24/7.
>>>and that doesn't scale except for high value targets
Real-world activities (kidnapping, rubber hose, fingerprint stealing, whatever) aren't worth it for medium-value targets, true - but my point is that SIM swaps aren't either - for low-value targets.
From the article, they're offering $300 per - so the expected value from these specific compromised accounts must be more than that (I'd guess $1k min). This makes it pretty clear that if you're protecting accounts worth ~$50, SMS is probably "good enough". And for some users that's the right trade off.
My point is that SIM swaps are possible from the other side of the world and rubber hose isn't. The targetable base for remote SIM swap attacks is everyone from anywhere.
If someone wants to rubber hose me, they have to physically come to my area and that doesn't scale except for high value targets. Tolerating SMS as 2FA is absurd with built in passkey capabilities backed biometrics/code built into a device you can buy for $100 and already carry with you 24/7.