The point I was making isn’t that a single digit code is bad for security, but that having a loosely defined spec which major implementations disagree on is bad for security.

For example, Yubico generate 7 digit TOTP codes. If you move your secrets from their TOTP app to Google, will you be locked out? If you move from Google arbitrary number of seconds to an app which only supports 30 seconds, will your codes occasionally be wrong? Can dodgy URl encoding of certain fields be used to trick or confuse users?

Because major implementations are diverging from the spec and the deficiencies in the original spec, it is possible that unforeseen security issues could arise.

As I say in my post, choosing a single digit TOTP code is stupid. But relying on a stagnant spec is probably worse.