The phreaking [1] community was huge and becoming increasingly sophisticated long before mobile was even a thing. I think it's mostly that telecoms were traditionally discouraged from pursuing security. There's, at most, a minimal commercial incentive to it, and the government loves comms that can be easily spied on meaning you're going to get pushback from that side if you start aiming for security.
The idea to start using SMS for secure purposes was similarly probably never really about security, but an advertising/government driven effort given that it helps create a fairly reliable tracking identity for a person. It makes no sense otherwise to use SMS over something like a 2FA app which is completely cross platform, secure, free, and has basically 0 downsides relative to SMS, and a whole bunch of upsides. The only thing is that it's also anonymous.
Don’t 2FA apps have the major downside that if you lose the specific mobile device you installed it on you’re SOL, unless you have backup codes that are too technical for most. SMS gets you more human support since you pay your carrier, I can walk into my nearest teleco branch with my ID if I lose my phone and change the SIM to another phone. So most of the time unless your SIM is hijacked it’s a good proxy for being actually you.
Plus having to download another app adds friction to the signup process and most users aren’t going to bother, so for most it’s SMS 2FA or nothing. Since apps often want your phone number anyway for bot prevention, and users are used to verification codes, it’s not a big deal.
Also a tail end of other issues with 2FA apps (and SMS 2FA predates the nice ones anyway); in other countries there are devices other than iOS/Android to suggest an authenticator app for, limited network speeds and device storage, etc. Heck, I know people in the U.S. with full device storage who can’t download new apps without deleting some stuff. If you’re a random app and not a tech company SMS 2FA is just going to be much easier to implement.
The whole point of 2FA is that once you lose possession of your physical second factor, you lose access. If you can maintain access after losing the hardware, you've just added a second password. SIM swapping attacks have proven very effective at showing how easy it is for someone to bypass SMS 2FA. It's better than no 2FA, but it's the worst second factor out there.
If you don't want to lose access after losing your second factor, you don't want two factor authentication. Trying to make 2FA something it's not only muddies the waters and makes things annoyingly confusing.
I don't think "I know someone whose phone can't handle a 2MiB TOTP app" is a good reason not to offer real 2FA on a website. Sure, offer SMS codes for people who don't care much about security beyond ticking auditor boxes.