This only works if someone can access an exchange account using your mobile
phone number (e.g. reset the exchange account password using a SMS verification code).

After all the 2FA application is running on the application layer and not on the SIM card.
E.g. even if someone manages to impersonate me at my mobile phone provider and manages to get
a SIM card he will still not be able to breach the 2FA of my exchange accounts.

The real risk is that you back-up your 2FA recovery seed/code in a way where a third person
can access it (e.g. storing it digitally, storing it in your wallet or similar questionable behavior).
Merely obtaining a SIM card for the mobile phone number should not be enough to breach 2FA.