I suppose the justification is that if the a purchase is being made from a mobile device, it is probably the device which is configured for SMS. Therefore is somebody has stolen your phone and is trying to make a purchase (and the mobile web browser has remembered your password), then the 2FA system becomes moot/insecure. I'm not necessarily agreeing with the policy, but I can see how it could make some sense...