2FA is not the main target here, it’s SMS one time password flows. Where you never go through a traditional account setup, you just enter your phone number, it sends you a text with a one time password (generally embedded in a URL you can click), and you’re logged in.
With 2FA, you at least have to log into successfully without the cell phone first, it’s harder to exploit. You can pretty easily rate limit 2FA prompts per account, auto-ban malicious accounts, etc. While SMS OTP flows are extremely easy to exploit - the text is sent before any sort of association with and account occurs, making rate limiting, banning, etc. much more difficult.
With 2FA, you at least have to log into successfully without the cell phone first, it’s harder to exploit. You can pretty easily rate limit 2FA prompts per account, auto-ban malicious accounts, etc. While SMS OTP flows are extremely easy to exploit - the text is sent before any sort of association with and account occurs, making rate limiting, banning, etc. much more difficult.