RSA SecurID is not a smartcard. It's basically equivalent to TOTP except as a physical object rather than a phone app. There's secret baked into the SecurID and the issuer knows that secret so they can use it to generate the same one time code.
You seem to imagine that your phone, on which you run most likely not only a wild variety of apps from potentially untrustworthy sources, but also a web browser, which is a huge attack surface facing the Internet, is more secure than a simple smart card and that doesn't make a whole lot of sense.
In both cases the main real world security is that bad guys will probably need to _steal them_ which is difficult and a completely different skillset from the skills to make phishing emails or lie on the phone. But the phone is a bit worse here because maybe they can attack that remotely via, as I mentioned, your web browser, instant messaging stack or other components of a very complicated device.
You seem to imagine that your phone, on which you run most likely not only a wild variety of apps from potentially untrustworthy sources, but also a web browser, which is a huge attack surface facing the Internet, is more secure than a simple smart card and that doesn't make a whole lot of sense.
In both cases the main real world security is that bad guys will probably need to _steal them_ which is difficult and a completely different skillset from the skills to make phishing emails or lie on the phone. But the phone is a bit worse here because maybe they can attack that remotely via, as I mentioned, your web browser, instant messaging stack or other components of a very complicated device.