[phicoh]

Normal defects are 'easy': you have a contract to obtain a product or service with certain features. If the product or service doesn't have those feature, it is defect and failure of the providing party to comply with the contract.

Of course, no phone contract says anything about securing SIMs (for the purpose of authentication). So it cannot be a defect.

Safe to use is often in relation to bodily harm, which doesn't apply in this case. Outside any specific law, if you use an unencrypted text messaging service between subscribers for authetication purposes, then you are on your own.

In this case, the actual harm is caused by the companies that decided to use text messaging for authentication purpose without verifying that the underlying service is fit for porpose (or having a contract with telcos that explicitly lists this purpose).

Of course, nobody is going after twitter to recover damanges from them.