Microsoft also does that too for recovery but if you have activated MFA with the authenticator app, even the recovery will require another recovery code or the use of the Authenticator.
The other issue is that companies like Videotron still ID using Date of Birth, Postal Code and/or Mother maiden name. Not too hard to get these info.
People under estimate this but email should be more protected then before. Once someone gains access to that, he can resets password for most websites.
Event Text message should always be hidden from your lockscreen.