Secure/not-secure is not a binary distinction. And SMS-based 2fa is still more secure than password alone.
One thing I've become painfully aware of recently is how all MFA is rendered pretty insecure by various "fallback" processes. I recently switch jobs and realized I had a few accounts using my old work phone as SMS 2fa number. In every case it was ridiculously easy to call a CSR and get 2fa disabled from their end.
Fallback processes are the way SMS can make things worse. Report a lost password, verify yourself with your SIM-swapped SMS, maybe apply a little social engineering. I'd rather have just a strong unique password than use SMS. (And of course I'd much rather have good 2FA.)
One thing I've become painfully aware of recently is how all MFA is rendered pretty insecure by various "fallback" processes. I recently switch jobs and realized I had a few accounts using my old work phone as SMS 2fa number. In every case it was ridiculously easy to call a CSR and get 2fa disabled from their end.