Unfortunately I've run into exactly the same situation and resolution. The person I got on the phone said there wasn't any other options that she was able to find.
As you've said, this is pretty frustrating; my mobile phone is not a secure device and nor should my mobile number+email address be the single factor authentication to my bank account (it's not too hard to transfer ownership of mobile numbers). I would not have even linked the account to my mobile number if I hadn't been forced to to conduct a larger payment. This is a big step down in terms of security for me.
I only use the account for purchases, not to receive money, so in terms of what to do next I think it'll be this:
1. Since your post was recent, hopefully the change is recent also and they'll back it out in the next week or so (not holding my breath). After a week or so I'll move to step 2.
2. Change all my recurring payments to use Visa or another option (I don't think there are many fortunately).
3. Close my PayPal account and start paying for ad-hoc things with Visa. I'll probably do this via PayPal when offered (so I'll have to put in my name, address etc. as well as the card every time), because at least they're a trusted party to give the Visa number to.
The option of using Visa everywhere isn't great either (23 numbers and you're done), but since I'm doing that in many places anyway the above should at least reduce the number of lower security ways people can extract from my bank account.
I also considered 'bypassing' this issue by changing my PayPal email address to a password-like alias (e.g. <removed> at mydomain.com), but unfortunately PayPal shares this email automatically with merchants, so it wouldn't be possible to keep it secure.
