Do you outsource your security?
The use of phones to ‘secure’ important, personal information has become widespread without any concern for fact that phone companies do not have strict and consistent rules about such things as SIM swapping - Particularly as this practice is considered a handy feature by many who would, no doubt, baulk at any reduction in this convenience.
I have heard the "large orgs do technical security so much better than we ever could" mantra so many times but there never seems to be any consideration of the increased social engineering surface that a large organisation must have to manage huge numbers of anonymous clients. Also, as in this case it seems, a large organisation is much less well equiped to deal with rogue employees who are, again because of org size, pretty anonymous AND able to subvert any security protocols put in place.
Maybe the new mantra should always be that "convenience and security are opposite ends of a scale, as one increases the other must decrease". You must prioritise what is most important. Anyone who claims different is ignorant or selling snake oil.