Ok, email is terrible. It just offloads the onus of security to your email provider. SMS/Phone call however meets the “something you have” aspect of MFA, PIN now counting as “something you know” aspect. Ultimately it sounds super weak, but that weakness can be mitigated by other aspects such as device fingerprinting, geo blocking, locking out after failed attempts, etc.
The thing is, at some point, the bank will have a customers account get breached no matter what they do. If they want to be lax on security, they better provide top notch customer service when a breach occurs because they’ve taken the onus of security off the account holder and limited their options on being more secure.