Having the possibility/capability of intercepting the SMS is only effective if the ID and PIN are already known, and while surely there are "other" ways to get them, the attacker needs all three.
From what I have read/seen, most if not all successful attempts to access someone else's bank account online go through some form of phishing.
Not only phishing, but too many people have the terrible habit of using the same password everywhere. So with public breach data, it's not a stretch to think bad actors would try, and probably be successful way too often, to use said credentials on bank sites.
The entire point of two-factor authentication is to provide an extra layer of security for when the first layer is compromised.