There have been claims of 2FA being inadequate if you log in to your investment accounts on the same phone as your code is sent to.
Apparently people have been able to transfer numbers to new SIM cards and hack into accounts that way. It usually requires someone on the inside at the cell provider, but it happens here and there.
A code sent to your phone is more properly referred to as "wish it were two factor" authentication. The most common real 2FA is to have a hardware token with a certificate or code generator along with a passphrase (i.e. something you have and something you know). It's way too easy to clone a SIM or hack into a SFA email account.
Even bloody video games implement decent 2FA to protect virtual possessions, it's a travesty that financial institutions fail to do this. Of course, when presented with a decent upgrade in credit card security, the industry also dropped the ball and fatally weakened chip+pin 2FA in favor of chip-only 1FA.
With the complete lack of sane security practices, the only way you can combat issues (while still using online services) is:
* Use a password manager:
https://keepass.info/* Use passphrases, not passwords (especially as the master password for your password manager):
https://www.useapassphrase.com/* never, ever use a passphrase more than once.
* DO NOT FILL OUT PASSWORD RESET QUESTIONS! This is an absurdly bad idea for a webpage to implement. Even if you have a decent passphrase, if you answered "what is your mother's maiden name" you have a completely insecure account. If you are required to use these, use randomly generated strings or arbitrary passphrases as the answers for these.
* Use a system-on-a-stick (i.e. an O/S installed/maintained on removable media or VM that is only plugged in when used) for all financial access. An easier but more expensive alternative is a dedicated device (i.e. a laptop). Don't use a mobile device, the security of mobile devices (especially cheap Andriod, but also iOS) is effectively non-existent.
* Never use Android, iOS or other mobile operating systems for anything where security is important.