I've been trying to figure this out for days now, by reading the specs. I originally thought the same as you - the shared symmetric key is used only for authentication. But reading descriptions of the protocol closely I don't believe they are really using forward secrecy at all.

The problem is that whilst, yes, unique and constantly rotating randomness is used to establish unique session keys, the session keys are derived from the random nonce that's an encryption of the network selected randomness. In other words if you have the SIM key, you can figure out what the session keys also were. Ultimately the standard SIMs don't seem to use asymmetric crypto anywhere, meaning a compromise of the SIM key still allows you to undo all the encryption. Ultimately everything is derived from these shared keys.

And yes the problem of 2G downgrade attacks remain. There doesn't seem to be any good solution for those short of phasing out 2G entirely.