The idea is that while SMS may not be "secure" in general, it is secure enough when used as the second authentication factor.