I imagine a world where you go into the cell store, and they demand three forms of identification including a utility bill to talk to you. I can already hear the complaints from a much larger portion of their customer base.
I don't know whether in this case the victim was using SMS codes, or whether the attacker used their phone number as part of a more involved attack (e.g. calling customer support and impersonating the victim). Even if you don't use SMS codes, there are a number of attacks that are opened up if someone seizes your cell phone number.
In general, however, I think it would be a good thing if service providers were held liable for damages occurring due to account breaches; that's the only way we're going to get proper account security. Schneier has written on this subject extensively, e.g. https://www.schneier.com/essays/archives/2003/11/liability_c....
Usually the attack is done against an individual who is known to have significant crypto assets and is using Gmail. By default if you enable 2fa on your Gmail account, sms based 2fa is activated as backup.
The attacker social engineers the phone provider to port the victims number, then resets the victims Gmail account, uses Android device manager to wipe their devices, and using the details found in Gmail they proceed to gain access to other accounts owned by the victim. The main goal being to social engineer access to services where they store crypto or to find unencrypted wallet backups in the cloud.
Now there is https://landing.google.com/advancedprotection/, which might be a better option -- interested to know if you've got any opinions on that scheme.
You give one example. It also applies when people lose the password for an account, no longer have access to their original or backup email, etc. The most secure thing to do is probably to tell the customer "tough." But that won't go over very well so account recovery practices get put in place that are probably susceptible to social engineering attacks.
It would be similar to the account recovery aspect of Google's Advanced Protection Program: "A common way that hackers try to access your account is by impersonating you and pretending they have been locked out of your account. To give you the strongest protection against this type of fraudulent account access, Advanced Protection adds extra steps to verify your identity during the account recovery process. If you ever lose access to your account and both of your Security Keys, these added verification requirements will take a few days to restore access to your account."
If they actually took part that seriously, most identification could be done with a PIN or a password or whatever and the serious identification could be reserved for people who've actually forgotten.