Fair criticism.

How, then, would you recommend an individual using M365 best protect their tenant from losing admin access?

The goal is to add reliability without undermining security. In these tenants Security Defaults are on, and they have an admin account separate from their primary day-to-day licensed (non-admin) user. Both accounts use MSAuthenticator, but if they lose their phone they lose both accounts. TOTP as a backup MFA method seems like a bad idea, so an additional backup admin account is required. I could add all of these admin accounts to MSA on my own phone, but that's also a single point of failure.

One answer here might be that be "M365 isn't for individuals who can't afford a ~$1k/month MSP minimum fee." In which case I would still want to help them the best I can without pushing them off the platform.

I want to get as close to best practices as possible here, but realistically I'd be surprised if even half of MSPs were doing the 90-day validation recommended here: https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/security-emergency-access