From the server side perspective, VPNs and Tor exit nodes are horrible for malicious activity. Until AI crawlers came along, they were some of the worst.
They also have the advantage that in the purest technical sense, there’s no necessity for a user to be using them. So blocking them is relatively low consequence for relatively high reward.
Wrong.
If you are torrenting you need to use a VPN. Other use case is privacy.
I think you clipped out the full context of his statement, which is correct. It’s the difference between “use case” and “necessity.”
Realizing we have drifted from a discussion of SMS and 2FA to VPN here.
However, in an age where we increasingly can’t trust our governments or major online service providers, @Bette brings up a great point on privacy. I think VPN is probably a necessity for certain use cases, depending on your location. Just searching for / accessing content about many topics like sexual orientation, transgender care, birth control, abortion, political speech critical of the current regime, organising peaceful protests—all this (and more) could potentially put a target on you.
Add to the mix the ruthless data brokers (“our 765 partners”) who will sell whatever info they manage to aggregate and connect to your profile. Sensitive info might leak data that way too.
Please make sure the VPN company is trustworthy, because they can aggregate a lot of data on you…
Exactly. The key words of my statement are “purest technical sense.” Everybody already has a routable IP when they connect to the Internet.
And whether or not the provider blocks VPNs by default, the broad thrust of the statement is still true. If you use a VPN, anybody using that VPN can get an IP banned due to bad behavior - which will affect all users that use that exit node. VPNs are hotbeds for bad behavior.
I also don’t disagree that there’s a very good end-user use case for VPNs in certain circumstances. But it’s possible that there are simultaneously good reasons an end user might want to do something, and good reasons a sysadmin might want to prevent the end-user from doing it when connecting to their server. 
Like many things in life, it’s a risk/reward calculus.
If a government is a threat actor that I’m concerned about then a commercial VPN is the last thing that I would be using. Apart from the security/trustworthiness of a VPN service itself, the exit nodes provide “wonderful” aggregation points for network traffic that’s “of interest” to actors who can operate at that level.
Just thinking out loud, that might be mitigated by using an exit point that’s not under the control of that particular government (or its good friends who will share data ).
It would still be a significant risk either way - just maybe a slightly better bet.
Any recommendations from your viewpoint?
While your reasons have some truth, Mobile Phone numbers have massive security weaknesses.
They rely on a technology created in the 1980s and are unauthenticated.
Even after numerous stories about people’s Number’s being stolen via a random call to a Mobile Phone provider, the same story is played out again and again.
One Time Codes via Google Authenticator, Microsoft Authenticator, or 1Password are far more secure.