Telcos are notoriously bad for customer service, and make it easy for criminals to "social engineer" your cell phone number to their phone, and then proceed to reset your passwords using the SMS code they receive. That goes for email, banks, credit cards, etc. Each factor of authentication is a new vector for attack, so services should never rely on just one to supersede another.