Part of the cell phone security model was that it was expensive and difficult to build the radio gear necessary to spoof a cell tower. Fast forward to the last few years, and you can get an excellent board for SDR for like $500. The guidelines list steps you can take to reduce the risk of SS7 routing shenanigans, but there isn't much you can do about a highschool kid (or an organized crime outfit) playing MITM with a cheap radio, which is why it will be deprecated soon.
If you are in IT, and your environment demands security compliance, this will reach you eventually. It might take a few years if your structure is slow.
I'm not using secondary device auth anywhere because I believe that dedicated hardware is more secure, but many of my peers are.using this. They will be switching off the SMS option and pressing on with online OOB methods, at least until their next cycle. We suspect that online OOB will go away entirely soon as tablet/phone malware matures and starts emptying phone-2FA-protected bank accounts.