They’re trying to protect against very basic attacks. SMS 2FA is totally insecure, but unless it’s a targeted attack against something high value (think a Bitcoin exchange) the attacker will just not bother.

The main thing companies deal with is password reuse. Someone uses the same password everywhere, one site gets hacked, hackers now know that John at example com likes to use qwerty123 as their password, so they try logging into every service they know with that email/password combo. SMS is good enough to stop that.

At the same time it’s easy and companies can force it on people if they have their phone number, even without explicitly setting it up.

And they can outsource recovery to phone companies. Lost your phone? Well go get a new sim card with the same number and don’t bother our understaffed support…