Having to call/visit and social engineer an employee is an order of magnitude more work than just logging in with stolen credentials, which can be entirely automated. SMS 2FA is valuable when it can prevent credential stuffing attacks. It's a vulnerability when it can be used to reset passwords and recover accounts.