Also, SMS isn't, because attackers often get access to the SMS network itself (see e.g. Salt Typhoon) in which case they can do automatic mass account stealing because they can see all the totally unencrypted SMS codes.
Not to mention LTT showed the ability to spoof and steal SMS directly, on specific targets using the international phone system trust, something that is effectively impossible to block due to the inherient trust built into cell companies at the moment.
Also, SMS isn't, because attackers often get access to the SMS network itself (see e.g. Salt Typhoon) in which case they can do automatic mass account stealing because they can see all the totally unencrypted SMS codes.
The security of SMS really is that bad.