If CRA needs to contact you, they do not send the content of your concern, they post the content to your account and notify by email that you need to login and read the content. This avoid exposing your personal information in email. So they care about security.
It is probably ok to use SMS passcodes for social media and other amusements where money is not involved. However, billions of dollars flow through CRA which is an attraction for bad-actor hackers. And hackers have tools to capture SMS codes while logging in as you. Cell phone networks have security bugs so information passing through them needs to be encrypted. This can't be done with SMS which is plain text.
Google "risk of sms for authentication" and it's all bad news. The best advice is don't use SMS for 2FA/MFA. It actually weakens security for CRA business.