Apple does not use SMS to send 2-FA codes if you have another "trusted device". [1] However, I tried recovering my account as if I were a thief and I could use the forgot password feature to send an SMS code to initiate a password reset. From there I was able to reset my password after verifying the credit card attached to the account. So even with 2-FA enabled you're screwed if they stole your wallet too.

If your phone is stolen call your carrier and have them disable the number or invalidate the sim.

[1] - https://support.apple.com/en-us/HT204915