You have two-factor authentication enabled. Someone with your Twitter password and phone number could turn off 2FA by spoofing a command to remove your number from Twitter’s SMS service.
You don’t have two-factor authentication enabled. Someone with just your Twitter password could turn on 2FA for any phone number he can spoof, locking you out of your account.
Fortunately Twitter has addressed SMS spoofing before in response to a separate issue.
Most Twitter users interact over the SMS channel using a “shortcode.” In the US, for instance, this shortcode is 40404. Because of the way that shortcodes work, it is not possible to send an SMS message with a fake source addressed to them, which eliminates the possibility of an SMS spoofing attack to those numbers.
So neither exploit will work with spoofed text messages. Someone with your Twitter password and your phone could do exploit number 1, but a stolen phone is an issue with your physical security, not Twitter’s 2FA. Exploit number 2, however, could be a problem for any platform that uses SMS verify logins. If an attacker who maliciously gains control of an account (Twitter, Google, Dropbox, whatever) is willing to use a real phone number (from a throwaway prepaid phone for example), he could easily enable 2FA on that account to lock the owner out and slow the support process.
Still, two layers of security are better than one, and three are better than two.