That's also because these systems are large, complicated, and slow moving. Not only that, but the users are resistant to change; the older you get, the faster time moves, and a decade between one system (SMS) and the next (e.g. a two factor auth app) feels short and unnecessary.
Last I checked, even the US federal government required SMS 2FA to get into your Social Security account.
But the problem is also only allowing SMS 2FA. Why not allow both and let people choose TOTP?
I have a feeling SMS 2FA is used as a cheap way to implement a rough social credit score. If you have a stable life and follow the rules, then you have continuous access to the same phone number. And only allowing SMS 2FA allows you to only deal with this population, and ignore populations that might have higher proportions of “costly” customers.
