I missed this question buried in all of the noise and incorrect information.

Yes, this seems kind of dumb, but the vast majority of end-user account compromises don't involve stealing your device, it's mostly about just getting your username/password combo (most of the time, this happens because they get it through a data breach from a different site (tons of people reuse password so if site X gets breached, an attacker can buy the data and try that password on other sites). These attacks happen at scale, they aren't like stealing one phone at a time and trying to open all the apps on that phone.

In any case, SMS-based 2FA is really the worst kind of 2FA, but it's significantly better than nothing.