@kasperd : using Windows for sensitive tasks poses *way* more security risks than doing that on smartphones.
Side note: I've been trying to secure Windows desktops and servers for more than 25 years, and I can tell you this: YOU CAN'T. It's a huge legacy mess exposing an enormous attack surface. Properly fixing things would break too much. No way that throwing ISO 27k* at it will help - those are not even different worlds, but rather distant solar systems.
For most people, even using a Linux distro for critical tasks means taking more security risks than if they'd use a smartphone to do that.
On smartphones, users can still do stupid things, but -because of app separation- it is usually not the OS that introduces most security risks. Those risks are concentrated around installing apps with too many privileges (aka permissions) "to break the basic rules", such as required by RAT's (Remote Access Tools) like TeamViewer and AnyDesk.
Even knowing that there will always be risks that we're not (yet) aware of: in particular for ordinary users, Android and iOS significantly reduce risks compared to "desktop" operating systems.
Having said all that, IMO the risks of letting a smartphone represent our full identity is insane (such as when using eID/EDIW/EUDIW). Not primarily smartphones are to blame for that, but the internet is.
Authenticating mandates fully trusting the party that verifies and confirms your identity (*). The first step for trust is exactly knowing *which party* is verifying your identity. On the current internet, for most users it is impossible to distinguish between fake and authentic parties.
(*) For three reasons:
1) They won't let anyone in who claims to be you;
2) They won't, as an AitM, abuse your identity and verification data to authenticate as you elsewhere;
3) They *really* protect, and remove ASAP, all verification data immediately the verification took place (https://www.404media.co/id-verification-service-for-tiktok-uber-x-exposed-driver-licenses-au10tix/).