there’s ways to intercept a text or to create a dummy gateway(but hackers aren’t going to pay for Twilio). But I can see where the Authenticator app can be compromised at the client level - if someone knows your passcode or pattern(or you have no locking method defined).I know Microsoft REALLY pushes the authenticator app, but the assumption that if you have access to the device with the app and can just hit "approve" on the screen without having to enter a code is deeply flawed, because some users will just approve it, similar to your phone situation.
hardware MFA is the best method - but also the most cumbersome and people aren’t going to pay for a $20-30 Yubikey/Titan key.