SMS are mostly secure enough and there are significant convenience and simplicity advantages. The 2FA is after all the second factor, a hypothetical attacker would still have to know your password and be physically near you with a mobile sniffer when you get the sms. Realistically, it’s not much of a security concern.

But of course, there are better methods that don’t have this vulnerability and they do get used. Authenticator apps are pretty good, physical security tokens are even better, physical security tokens with biometric locks are the best you can reasonably get. Does remote access really need to be allowed? Requirement of onsite presence in a secured area and proof of identity is more secure. How much security do you need? At the end of the day, you are still vulnerable to [pipe wrench cryptoanalysis](https://xkcd.com/538/)