I was one of the devs that build the Vanguard login services, though I haven't worked on it in a long time and have since left. The SMS 2FA fallback was a stupid thing that some security architects wouldn't let us get around. I pushed pretty hard on that but alas didn't have the political capital nor time.
The main risk is that you will not be insured by FDIC any longer. However, if you remember 2008, the government was very interested in ensuring that money market funds did not lose any value ("breaking the buck"). So you are comparing an absolute FDIC guarantee to clean up the pieces if anything should break versus a no-holds-barred effort to ensure that nothing breaks in the first place, but then no guarantees if it does.
Other minor things to note: (1) You will be directly exposed to interest rates, and they can and do change quickly when nothing is locked in. This is usually in your favor (no more plummeting down instantly and climbing up very very slowly...), but it's worth recognizing. (2) As money market funds are security-like, it is usually slow to move money in and out of them. Securities trades do not settle instantly in the US, and this is intentional. Again, no issue if you know this is the case. Your broker may also hide some of this latency for you, depending on what you're buying from who.
I would say the risks are approximately the same. The biggest difference is that HYSA are insured by the FDIC up to 250K. Money market funds, purchased through a brokerage, are insured by SIPC. You get 500K of coverage total, but only up to 250K of that goes to cash equivalents. On the other hand, your brokerage likely isn’t engaged in fractional reserve banking like a bank is, so maybe your money is more secure with a brokerage.
