I'm a pretty big fan of the rolling token 2-factor authentication model, with the app on your phone presenting you the rolling token. The Blizzard login app is the biggest single example that comes to mind. SMS really isn't secure, I think something like this could be a good next step to phase in.
The thing that bugs me about this model is that it's not challenge-response, so someone can play man-in-the-middle.
While it's possible to hijack someone's phone number, as demonstrated, it requires a relatively high amount of effort per target. Whereas if you compromise a network segment somewhere (with DNS and a rogue SSL cert or whatever you need), you could just sit there, farming authentication cookies. Have your MitM check the "authenticate this computer for 30 days" checkbox and you've got a nice little collection to work with.