It's the mobile operators' fault for allowing the SIM transfers. It's relatively easy to social engineer one's way around a customer support agent over the phone if some credentials of the victim are known and, after gaining access to the phone number, the intruder can go to town resetting all victim's accounts. SIM transferring should only be allowed by visiting the company's offices and doing it in person after verification of the identity of the SIM owner. I have heard a lot of horror stories about SIM hijacking - mainly famous influencers' Twitter accounts getting hacked via social engineering and lax security protocols of the mobile operators.