SMS 2FA is good enough for most people most of the time. It's very bad at preventing high-skill targeted attacks against individuals, but it's perfectly good at preventing mass brute-force attacks.

It's popular because it solves the problem (not ALL problems, but the one they're trying to solve) and it's easy and low-barrier to implement and use.