"everyone has it" and it is "good enough" at preventing large scale attacks like credential stuffing from data breaches.

Most online services aren't so worried about a small number of users being SIM-swapped. They are worried about large numbers of users that reused their password across thousands of sites 5 of which had their database dumped.

SMS 2FA isn't about providing individual users a high level of security. It is about providing a baseline level of security for all users.

I disagree. A bank reported ~1,000 SIM swap attacks happened to their clients during 2021 alone in a single EU country. That's a lot. Furthermore, these attacks target high value individuals which I imagine is a particular cause of concern for banks. For this reason, the EU has phased out SMS as a valid 2FA, although not many banks have complied yet.

Some banks, like ING, already refuse to send OTPs by SMS and effectively require using an app. SMS is also bad from a user perspective as it turns your phone into a single point of failure. Also, if you are roaming abroad, SMS delivery is usually slow and unreliable. Imagine going to another country and being unable to validate a credit card transaction.

App, that steals my data is no go for me.

I don't like apps either, that's why I'd like standardized 2FA.

Many sites are blocking my Google Voice number from being used for 2FA, so apparently not "everyone" has a number that "everyone" finds acceptable.