The 2FA cases I use, to change it you need to disable it and then re-enable with new credentials/key. To disable though you need the original 2FA key. If your device is lost, then it's a long process of verification's to have the institute manually turn it off.
What your most dialled numbers are (if you do call people);
What your last recharge amount was;
What price plan your old number was on;
What your most frequently SMS’d number was (if you do SMS people);
What your last airtime balance was;
What average amount of airtime you use per month; and
How long you have been using your old number for.
Note that whilst answering the questions, you may skip some of the above questions if you don’t know (or have the answer to) the specific question. All questions above will be related to your old number.
For that kind of thing it should be automatically rejected unless the customer confirms.
The same applies to fraud detection systems that block transactions on a bank account - that block should remain in place until the customer verifies that they are valid, not expire after a time limit.
Logic dictates that the only physical way someone can access your account is by you allowing it. Whether intentionally or unintentionally such as this case.
A breach of their systems, which would be an exception, would not affect one single person.
For them to prove you compromised your own account would involve you handing over every single internet capable device you've ever used your banking with and even then, nothing stops you from wiping it, destroying any evidence that may have found you negligent.
It goes into various accounts (some maybe opened with fake details, other bought from poor people or poor people paid to open them), cash withdrawn at different ATMs (I'm sure the crims wear caps and **** if they think there is cam seeing them, and the cameras are not the best quality). At best we can prosecute the account seller, but given the justice system and the fact that we can't even prosecute people who steal R100s of millions blatantly...
Better advice is to use better banks and not to fall for scams, better to be too paranoid.