Common sense is not to blame for some of the shortfalls. For example, where the villain persuades the mobile operator to send a replacement sim, istr a few customers of the banks were getting caught out by that one not long ago?
And in these days of 'uncrackable' smart phones, we probably all have a password/pin locking the handset data. But how many people still bother with an additional sim PIN lock as, without it, a phone thief merely needs to swap the sim over to a different handset, and thereby gain access to 2FA texts..?
Not sure about the others, but Google encourage registering a second phone, which may be a landline, for receiving the texts, in case the usual one is not available. Which doubles the risks and in many cases leads to the code being sent over unencrypted analog.
One of the biggest problems though, in my view, is the providers often allow the 2FA code mechanism to be used for account recovery for password recovery. That's not 2FA any more, it's just a single factor - and a rather weak factor at that, for reasons above...