One way that you can influence the situation is by addressing the PHB directly, in a language they understand: NIST 800-63B [0].
To reach Authenticator Assurance Level (AAL) 2, there are restrictions placed on PSTN-delivered OOB verification as described in Sec. 5.1.3.3. They explicitly state (in Sec. 5.2.10) that the validity of restricted authentication can change at any time, AND that organizations "SHALL" offer alternative MFA options that are not restricted.
Specifically: "The use of a RESTRICTED authenticator requires that the implementing organization assess, understand, and accept the risks associated with that RESTRICTED authenticator"
So now when you go to the PHB and say, the government says that we are potentially opening ourselves up to legal liability according to such-and-such document subsection whatever, you're much more likely to get allocated resources to implement alternative options. Plus, the government could potentially disallow phone-based 2FA at any time! Imagine how the board will react when they find that we didn't plan for this contingency and suddenly can't comply...
Since the document you link to is applicable to federal government systems only and neither opens you up to any legal liability nor implies the government will ban SMS 2FA for non-government systems at any time, the PHB will likely tell you to take a flying leap.
To reach Authenticator Assurance Level (AAL) 2, there are restrictions placed on PSTN-delivered OOB verification as described in Sec. 5.1.3.3. They explicitly state (in Sec. 5.2.10) that the validity of restricted authentication can change at any time, AND that organizations "SHALL" offer alternative MFA options that are not restricted.
Specifically: "The use of a RESTRICTED authenticator requires that the implementing organization assess, understand, and accept the risks associated with that RESTRICTED authenticator"
So now when you go to the PHB and say, the government says that we are potentially opening ourselves up to legal liability according to such-and-such document subsection whatever, you're much more likely to get allocated resources to implement alternative options. Plus, the government could potentially disallow phone-based 2FA at any time! Imagine how the board will react when they find that we didn't plan for this contingency and suddenly can't comply...
[0]: https://pages.nist.gov/800-63-3/sp800-63b.html