The fob relies on a shared secret between the fob and the server.
People thought it was bullet-proof, until someone hacked into RSA (largest provider of these fobs to steal that shared secret because they really wanted to hack into Raytheon (military contractor).
The SMS thingy relies on the security of Swisscom's SMS-center (ZKB will have a direct link and talk to it via something like kannel - at least I hope they do and don't rely on a third-party like aspsms.com to send the SMSs) and the security of the transport-link between ZKB's servers and Swisscom's servers)
I would have said that filling out pink and orange slips is the safest, except that ZKB has outsourced it to Swisscom and it's currently not really working... http://insideparadeplatz.ch/2015/10/...it-eine-woche/
Heaven knows how much of the banking-stuff is already outsourced to some other continent or some European nation very high on Transparency International's yearly corruption-index...