I think I have said the following till I go blue in the face:

1. Mobile phone numbers are not secure. SIM jacking is a thing, and a 6 digit code is not impossible to guess (it's only 1 in a million).

2. Sending codes/links via email is problematic as described by the article.

3. Inconsistent "best practices" confuse users, and frustrate them.