Speaking as someone who worked for two of the big telcos, and specifically in the SMS area for one, I'm wondering how the system relies on call centre staff?
SMS to mobiles is being outsourced as part of the bank's security infrastructure - but the banks don't control it, and do not have control over the training of the staff that run it. By running successful social engineering attacks aimed at the telco's staff, the integrity of the bank's two-factor authentication system is being compromised.
The banks would be far better off running some kind of software securid-style hashing app where they control the generation of passcodes over SMS, rather than just relying on a clear-text authentication from a phone number that can be easily appropriated by fraudsters. There would still be the weak point where a fraudster could try to have a new phone/app's hash resynced with the bank's server, but then they would be dealing with bank staff trained to look out for social engineering, and could have procedures in place to stop it (security questions, new code sent by post, etc). This would be far more secure than relying on a telco's staff who are not trained in spotting and responding to banking fraud attempts, and in many cases would actually be trained to help the customer transfer to new phones/numbers.