The article says "We found 17 websites on which user accounts can be compromised based on a SIM swap alone", that seems like a pretty clear indication that it can be worse than nothing.

I happen to think the benefits of SMS 2FA, even when working as intended, are negligible. It seems like a bad idea to waste the finite amount of developer good will we have asking services to implement it.

Literally the only attack that SMS 2FA has any impact on is credential stuffing, and even then it's debatable. Credential stuffing is using the credentials stolen from one service to compromise another. If you don't reuse passwords, then you don't need SMS 2FA.

If you do reuse passwords - then it seems impossible you're not also vulnerable to phishing. After all, you're already willing to hand over your credentials to anyone who asks. SMS 2FA is not a solution to phishing, as the tokens themselves can be phished.

If you can compromise the account, based on a SIM swap alone, then that site has 1FA (The phone number).

2FA requires you to have 2 factors at the same time. e.g. When I log onto amazon from a new browser with valid username+password it additionally requires me to confirm via my phone number.

1or1FA (e.g. reset your password via SMS if you forget your password) is just increasing the attack area on 1FA (would be more secure without it).

Problem it's trying to solve, is that it's conventionally unacceptable to lock people out of their accounts.

Let's say that it wasn't you who logged in with a valid username and password, it was an attacker.

Under what circumstances does the phone number prompt prevent the attacker from accessing your account?

Perhaps they used phishing? Then they can just phish the SMS code as well.

Perhaps they're a MITM over an insecure channel? Then they can just wait for you to enter the SMS code.

Perhaps you installed their malware? Then they can just inject some code into the browser.

Compared, presumably, to the other two popular 2FA methods: TOTP and WebAuthn (f/k/a U2F).