Same-day sim replacements to a backup sim instead of waiting days for replacement sim

MSF I work in cyber security so I think I'm in a good position to talk about this from a security standpoint!

That is definitely a valid concern, but I would argue that if an attacker manages to gain access to your Smarty account in order to perform a fraudulent sim swap, this would mean they likely bypassed the 2FA (text/email code), which means they either have access to your sim in some way, or your email account, and at that point you likely have bigger things to worry about.

However, this can likely be mitigated by adding a delay of a few hours, in which during this time the original sim is sent a text message, including the email on the account, that a sim transfer is taking place, and allows the user an option to cancel the transfer and secure their account, after which the original sim is temporarily disabled to prevent use.

Another solution could also be to limit the backup sim cards that a transfer can take place in, for example by only allowing inactive/backup sims sent to the original address listed on the account to be used as transfer candidates, and refusing transfers of inactive sims from different addresses or acquired through different means.

And since many providers offer this option (such as Giffgaff), it is very likely they've criticised this from a security standpoint already and have implemented measures to prevent abuse of this (I believe Giffgaff limits sim transfers during certain hours, in which the primary sim holder may be away such as asleep so that they can be immediately made aware that a sim transfer is taking place).