To be fair, banks do an OK job of that. (Well, it's hard to take over an account purely by remote social engineering, some of mine still blindly use SMS as an authentication thing...)
Telcos do not secure phone numbers to banking grade security, because they never agreed to be part of anyone's critical security posture, and their own incentives are to make it as easy and quick as possible for customers to move their phone numbers around. It's in the telco's interest for you to be able to walk into a $TelcoBrand store and walk out with a functioning device with your old number. (Or to call up their support line and do the same thing.) They never offered to make that more difficult than it needs to be just because companies like PayPal wanted to outsource security to be somebody else's expense. They've been actively recommending against it since forever:
Telcos do not secure phone numbers to banking grade security, because they never agreed to be part of anyone's critical security posture, and their own incentives are to make it as easy and quick as possible for customers to move their phone numbers around. It's in the telco's interest for you to be able to walk into a $TelcoBrand store and walk out with a functioning device with your old number. (Or to call up their support line and do the same thing.) They never offered to make that more difficult than it needs to be just because companies like PayPal wanted to outsource security to be somebody else's expense. They've been actively recommending against it since forever:
https://www.itnews.com.au/news/telcos-declare-sms-unsafe-for...