Setting aside the questions around SMS 2FA (which I don't think is the core of the problem here), the question is "Who is responsible for a user maintaining correct contact details?".
As I see it, the complaint seems to be Meta provided the password reset details to the contact details the user asked them to provide them to. Why can Meta be held liable if the user fails to update those contact details? I am pretty sure we have seen similar stories when domain names have been recycled, and the new owner of the domain started receiving email for the previous owner. I know I still receive post for previous residents of my current home, some of whom last lived here over 20 years ago!