Because you want your users to be able to access the service if Twilio is having downtime rather than your service being essentially down for them. Twilio killing their account was probably not an assumed use case. The biggest expected impact was new user SMS authentication which you could run after the downtime is over. Better some spam users than losing those potential users was their thought I'm guessing. I suspect password reset also failing open wasn't thought of as deeply because it's a rarer path but it got bundled together with the SMS auth code path.
edit: I'm sure we've all had really stupid requirements pushed on us by the business side for the sake of user experience or increasing metrics. Or written bad code at 3am during crunch time.
edit: I'm sure we've all had really stupid requirements pushed on us by the business side for the sake of user experience or increasing metrics. Or written bad code at 3am during crunch time.