Coinbase has extensive access to mobile provider data. They can see when number ported and what phone the thief uses, but it's really hard to make decisions.
I understand that it's hard in the edge cases, but a port followed by account recovery within a short period of time should be enough of a red flag to immediately lock the account.
If a customer loses the phone, and then ports the number instead of replacing it, and also forgets their password at the same time... yeah, I think it's fair to give them a bit of a hard time before letting them in.
Video verification sounds reasonable, as would some wait time. What's not reasonable in that situation is a self-service fully automated account recovery via SMS and e-mail verification followed by allowing withdrawals.