Google periodically puts that banner at full display when you log in. Even if you miss it one or two times it will come again. If you are so incompetent as to ignore a clear security warning that many times then you are responsible for your own actions.
You don't know how this person lost their number. How quickly they lost access to it. What actually happened.
Maybe the last time this banner appeared, they still had their number. Maybe things just co-coincided with the worst possible timing. Stuff like that can happen.
I'm really not comfortable calling them completely incompetent over this.
Also there have been reports of people getting locked out for no fault of their own as well. And those people too have no chance to do something about it.
But even if it is incompetence or gross negligence - as a software company, you'd still want people to be able to report that stuff happening, so that at least you get statistics that you can use to measure the effectiveness of any improvements you try to make.
If those problems occur so frequently that it's no longer financially feasible for you to actually look into them... then maybe there's some incompetence going on at your own side, right?
I don't know when the last time was I logged into my Google account. Probably when I got my current phone. No login = no question if your 2FA details are current.
Also, Google doesn't always make it clear when something is being added as 2FA. E.g. if you log into an Android phone future logins will use it as 2FA.
I ran into this problem one time. I had some android that was absolutely not my primary phone that I logged into, and it was sitting plugged in, in my basement for diagnostic reasons (I just needed an android running with a linux shell for testing). About a year after forgetting about it I was trying to log into Google and they prompted me for my 2FA, which I happily provided since I use Google authenticator.
Then, when trying to access my passwords stored on my google account (passwords.google.com) I was prompted with a message saying that there was suspicious activity on my account, and I needed to approve a pop up on this android phone. Google would not let me access the password manager until I could physically drive back to that phone to approve it. They refused to provide me with any alternative options despite having a yubikey and sms. Finally, I navigated to my inbox (everything else would load except for that password manager) and went into details at the bottom of the page, then forcibly signed out of that android phone. Bear in mind this was the same device that it refused to let me access the password manager on.
Anyway, after removing the device from my account it let me access passwords.google.com
From my experience google will show that banner for a couple of times if you log in from an unusual device and only after that will require you the complete login with the 2FA
