It's possible to use OTP and password as well, which requires a physical OTP generator. But that's actually more cumbersome than using the SIM alternative in my experience.

I believe using the SIM adds layers of security that OTP apps can't compete with, including increased difficulty cloning the private key. I assume that accessing the relevant parts of the SIM is way harder and requires completely different vectors than attacking the OS.

Since the early 2000's, banks in Europe gave physical OTP devices. While somewhat inconvenient if you don't have it with you, I still liked it better than alternatives that are popping up lately:

SMS based authentication, an app that generates a code from a QR-like pattern displayed on your computer screen (neat but they didn't think of the case where the screen displaying the QR pattern would be the phone itself, or the fact that you're letting their app see what else is on your computer screen) and paper cards with a finite amount of numbers on them.

In fact I'd prefer TOTP as supported by authenticator as a better phone based alternative since it's standard and you can control if and how you want to securely back up the codes rather than have a plethora of different systems.

BankId works even with non-smart phones. Plus it’s storage of private keys is more secure than the crypto-storage on cheaper smart-phones.

A SIM card contains a crypto module that can perform operations (signing, encrypting, etc) while not allowing the device to read the private key. Some phones include a chip like that too, but many don't.

Sweden briefly had a SIM card-based system before scrapping it in favour of a pure smartphone app.