[techsupporter]

If the reset process allows for both the 2FA and the password to be reset using a single one of the four points you've mentioned then, yes, it's a terrible design that should be scrapped immediately.

However, if any of the four points you've mentioned allow for only resetting the 2FA option and still require possession of the password, then I think you're more secure with 2FA enabled. Why? Because the reset step, if nothing else, provides an additional hurdle to be crossed. Yes, SMS 2FA is terrible and anyone who uses it should be barred from owning anything more complicated than a light switch, but that doesn't discount all of the other, better methods.

Even e-mail as a reset factor can be more secure if the e-mail account is secured. In my experience, people are more willing to put up with "hassle" to secure their e-mail because it has stuff they care about in there. It's been far easier for me to get people I know to enable app-based or (shockingly) even physical device 2FA with a Yubikey on their e-mail accounts. I even know two older, non-technical people who already had it enabled because "I read that it's better for e-mail so I turned it on and put that printout it made me do in the safe."

So 2FA seems to me like it can be more secure as long as it is really 2 factor auth and not "oh enter this other code...or also just use your phone to reset all access methods" (like some banks do, damn it).