Compared to login, MITM on registration means the culprit knows the IP address and the time of the registration, which is usually significant on claiming the account back.
I don't have a spare number to test, but I'm pretty sure entering a phone number in the web sends a SMS code. Do you have concrete evidence that it really doesn't work?
This actually is not a bad thing. If an unofficial client MITM the whole registration process, it's much harder for the true account owner to prove that he/she is the legit one.
Also, it doesn't really require a client to register; Telegram can be accessed from a browser.
Not sure about Apple devices, but for Android there's FRP (factory reset protection). Basically, if an Android phone which has FRP enabled has at least one Google account signed in, after factory reset, the phone is locked unless it signs into one of the Google accounts previously in use.
I cannot find documents about FRP from Google, but here's one from Samsung, and I'm pretty sure it's not limited to Samsung.