I think the answer to the "stolen SIM" from Apple may just be "use e-SIM".

I agree the inability to remove SIM as backup 2FA method is troubling. I would sign in blood any liabilities to be able to remove SIM as a backup auth.