You know this is the same reason people keep using telnet to manage their routers. "To attack the protocol would be like totally hard, and upgrading the routers to use ssh would be a pain in the ass. Telnet isn't perfect but it's better than nothing!"
Yeah, SMS isn't perfect, and yeah, it's better than nothing. But you know what else is better than nothing? Properly implemented TLS from an app or website on the phone. Of course that has holes too, but it's encrypted and (hopefully) authenticated unlike SMS. And it's available in every phone that can do SMS (unless you don't pay for data).
You can do whatever you want. But if you give people a crappy option and a good option, and the crappy option is slightly easier, they'll use the crappy option. But if they want the extra security they'll use the extra click it takes to make the good option work. Most people will just reason that nobody will ever use a keylogger on them and keep using keys with passwords.
Yeah, SMS isn't perfect, and yeah, it's better than nothing. But you know what else is better than nothing? Properly implemented TLS from an app or website on the phone. Of course that has holes too, but it's encrypted and (hopefully) authenticated unlike SMS. And it's available in every phone that can do SMS (unless you don't pay for data).
You can do whatever you want. But if you give people a crappy option and a good option, and the crappy option is slightly easier, they'll use the crappy option. But if they want the extra security they'll use the extra click it takes to make the good option work. Most people will just reason that nobody will ever use a keylogger on them and keep using keys with passwords.