Doesn't "old android phone" also mean one that's no longer getting security updates? Probably not what you want on a phone that hosts your TOTP tokens.
if you don't run random apps and or use it for web browsing, and block incoming sms, a standalone device would have a smaller attack surface. if you really wanted to be paranoid, TOTP is computed off the time and a seed value and doesn't need Internet access, so the standalone device could have the cell modem and wifi disabled to reduce the attack surface even more.