RSA is broken by quantum computers, no matter the bit length.
That's true from a cryptographic-purity standpoint. It's more complicated in practice.
Shor's is O(lg N),1 in time. But it's O(N3) in space (number of gates), so the space requirements grow quite badly — given the difficulties we still face in scaling up error-corrected qubits and quantum gates.
Unless and until large QCs become available, attacks against decent-sized RSA keys using Shor won't generally be practical. And when large QCs become available, (the handful of2) attackers with them may well prefer to crack, say, 8 keys of length N in parallel rather than a single key of length 2N.
ECC, on the other hand, will be more practical to break because of its much smaller keys.
Then there's GEECM, the Groverized Lenstra variant, which is claimed to be "often faster than Shor's". I don't know what GEECM's space complexity looks like.
For most people, their traffic isn't interesting enough to anyone to ever be threatened by QC, unless there's a truly mind-boggling breakthrough that completely changes the picture. As long as things like dilution refrigeration are in the hardware picture, and we struggle to get a significant number of physical qubits working, the risk to classical asymmetric cryptography for the vast majority of users is vanishingly small.
Moving to PQC now(-ish) is justifiable from a security viewpoint. But the reality is that no one's going to be snooping on your Amazon purchases.
1Actually polynomial in lg N, but we're among friends here.
2There's only so much recorded RSA-protected key-exchange traffic that will still be of value to anyone at that point. Sure, you break a TLS server's RSA key and then you can decrypt all those session keys, and then the traffic you saved ... and then you have to separate the wheat from the chaff. NSA ain't gonna care about the vast majority of the crap they hoovered up; they did that mostly because they could.