That's not a bad list and for regulatory purposes maybe it makes sense to use it, but it has its own limitations.

- Users should be prevented from using sequential (ex. “1234”) or repeated (ex. “aaaa”) characters

This one can be counterproductive for the same reasons as the complexity requirements that this list prohibits. It reduces the space of available passwords and might block a strong but memorable password that coincidentally has an invalid subsequence somewhere in it.

- Two-factor authentication (2FA) should not use SMS for codes

This has its problems but depending on the situation you might have few alternatives available and some form of 2FA might still be much better than none. Apparently my government, my bank, and several well-known online services all share this view.

Apparently doesn’t mean secure.

Most likely, the bank is doing it wrong because of bad old policies and lack of security education in the security and risk groups. The well known online services use your number to tie to data broker feeds. Not sure about your government, but likely inertia and misinformation.

Disclosure/disclaimer: megabank CTO opinions are my own

The question isn't whether it's secure. Complete security is a work of fiction anyway. The real question is whether it's significantly more secure.

As of today, probably 3/4 or more of the online services I use that have serious security requirements are favouring SMS-based 2FA over just using ID and password as they used to. This can get a bit annoying, but it's obviously more secure than not doing it.