Yes, telco security is an oxymoron. This also means Signal and WhatsApp security is built on feet of clay. I do have my old US number ported to Google Voice, where Google's legendary unwillingness to employ humans for anything resembling customer service also means there are no gullible (or corrupt) CSRs to fool into initiating a SIM swap, not to mention there is not even such a things as a Google Voice SIM to begin with. This won't work for UK users, unfortunately, there are UK-based virtual phone number companies, but they are quite expensive, and I doubt their security is any better than the telcos. I also self-host my email, so there is no password recovery vector, but the Google quasi-monopoly on email is making that increasingly difficult. The only way forward is for Parliament to pass a law that puts all liability for fraud on the company that still uses insecure mechanisms (basically anything other than FIDO2 or their Passkeys flavour). That's essentially how Chip and PIN was adopted so quickly.