This is because RSA lacks forward secrecy: If the private RSA key is stolen, it can be used to retrospectively decrypt all past communication.
Also X448 provides the equivalent security of ~15000-bit RSA with a fraction of the key size, and key generation takes milliseconds instead of minutes.
For key exchange, use X25519 or X448.
For digital signatures, use Curve25519-based ed25519 signatures.
For authenticating communication, use authenticating encryption like ChaCha20-Poly1305 or Salsa20-Poly1305 or AES256-GCM.
For hash function, use Blake2 or SHA3-256 or SHA256.
RSA lacks perfect forward secrecy is same as saying that ECDH lacks perfect forward secrecy. Both is true, and both can be used with ephemeral keys, which provide forward secrecy to both (and therefore must use other way to authenticate). Claiming that it's somehow RSA's problem while willfully pretending that it doesn't concern elliptic curve cryptography is very dishonest.