That is false. Many incidents have been widely reported where huge names, who certainly could afford even a $50 hardware token to protect their reputation/brand, were 'hacked' because they thought SMS 2FA protected them - and it didn't. Even with services which do also offer TOTP or U2F etc.
Vast majority of users don't bother with such complexities.
SMS is the easiest minimum entry barrier to 2FA. It is better than having just passwords.