While you're correct it's not fine, not everyone has a smart phone or a TOTP device. There are some cases where SMS makes sense as 2FA since it's a reasonable compromise between having no 2FA or a TOTP device.

Most feature phones can also easily run a TOTP application (and have/do). There are J2ME TOTP applications that will run on hardware far back into the ancient past. There are all sorts of fun TOTP apps in the AdaFruit, Arduino, RPi hacking worlds.

The algorithm is rather straightforward. The "hardest" part is the SHA1 hashing algorithm and people have written versions of that for just about every hardware under the sun, including 6502 assembly. (Hmm, an old Game Boy would make an amusing TOTP device. I should add that to my list of possible future hack project ideas.)

Just noticed the tab I had opened mentioning 6502 SHA1 hashing was to do it on old Tamagotchi hardware. Forgot that was also a 6502. Wonder if that person ever finished a TOTP Tamagotchi.

we call them TOTPagotchis these days

My claim is that SMS as the only 2FA option never makes sense. Wherever 2FA is enabled, a TOTP option (or equivalent that doesn't rely on third parties) should be provided.

You don't need a "TOTP device". It's software. You can easily write an authenticator for a smartphone, a pc, a digital dumb phone, or pretty much anything.

I think the real issue is that companies like SMS because of the tracking it enables. With a single number you get instant geographic + general socioeconomic data on user along a unique tracking ID. But the particularly nice thing about this ID, from a corporate perspective, is how blithe users are with it. People will happily "validate" away on numerous sites. Now, by "sharing select information with our trusted partners" (as seems to be the preferred T&C jargon) companies can create extensive profiles on their users well above and beyond their activities on any given site.

Obviously you get none of this with a TOTP. Instead you get better security, better portability, and less external dependencies. But no tracking. So SMS wins in the current state of the internet.

You don't need a smartphone or 2FA device to generate TOTP codes, and in fact, can use applications like Bitwarden. SMS is obviously not adequate, or the Jack Dorsey wouldn't have been hacked.

Twitter doesn’t use 2FA over SMS. Dorsey’s hack doesn’t tell us anything about that.

No, they don’t. You can access your account with just SMS. That makes it 1FA.

I can see more mundane reasons for SMS second factor.

In some places, SMS is simply what people are accustomed to, and the idea of using an app feels like a weird intrusion. Couple this with a PM saying "What if someone changes phones? SMS is more convenient and everyone already uses it anyway". Add a couple of years of SMS-factor, and it can quickly become considered good enough and no more work on MFA is required.

It doesn't take nefarious motives.

Just one lawsuit away from it never happening anymore

When you setup TOTP 2FA, the application should offer a few one time use codes (google offers 10, for example). These can be copied and stored safely somewhere.

If you lose the one time use codes, then you're screwed. But that's the risk you face if you want the most simple and most secure method.

Also, most providers allow you to setup multiple simultaneous TOTP devices (and those that don't, should). On my personal TODO list is setting up a "safe deposit box" TOTP device sometime.