SIM cards are cryptographic hardware tokens. They are much more secure than passwords.
In fact, they do need a password as well on top of the hardware token, that's the 'PIN code' you have to enter when you (re)boot your phone.
I transferred my mobile phone number etc over to a new SIM card the other week and all I needed was name, address, DOB and proof of ID... of course my network didnt have any of these on file yet, so I had to first tell them these details, and then show ID to verify that I was who I had just told them that I should be. Yeah... this is the state of consumer mobile security.
None of this required physical access to the phone, I just had to login to their website, with a username and password, and change my details.
On most networks you can steal someones mobile number with just a few minutes of physical access and a bit of planning.
It means that carriers don't have to maintain "sessions" centrally. The SIM can authenticate you to the base station without the base station having to check back to see if you're logged in elsewhere - vital in reducing the latency of cell changes.
(It also stores various bits of technical information for SMS/MMS routing, and was intended to be a platform for "value added" applications.
Authentication in a telco context is a good thing, the fact that the web doesn't have it enabled a large number of applications to flourish, it also made some other things devilishly hard, or even almost impossible.
Only on home network, everybody who knows your IMSI and have low level access to phone network can clone your identity in roaming.
The alternatives are worse in usability AND security.
If you don't want your account to be hacked: yes.
