Hi @Prabhaji
I would like to bring to your kind attention a few security measures that are already in place.
We send a push notification and a email notification when someone tries to login from a new location or a new device after the first factor is entered before the entry of the second factor.
Further in case of password reset, the flow currently needs the user to enter his PAN (this only the user knows) and the User ID to trigger the account reset OTP. This flow currently ensures that the attacker has to know the user’s PAN and user ID details to request the OTP. There is also a account block feature that we have introduced that gives the user to get his account blocked within 15 minutes. I have explained in detail here.
While it’s true that a few cases of account hack have happened in the past due to email compromise. We have taken a few measures in this regard as well. If a email service provider doesn’t have a 2FA mandated then we have stopped linking such email ids with the Zerodha’s trading account (eg : Rediff mail). We have also added a nudge for the users to change the email ID linked to kite.
Coming to the specific request of not sending OTPs to email and only to mobile phone, we did do analysis in this regard and people mostly used email OTPs more than mobile OTPs. Also the counter argument here is that if we send OTP only to mobile and if the mobile device is lost, then the user cannot reset his password 
There is also the issue with compromise of SMS over the telephone network. Hence it would inconvenience a large chunk of users without really adding security.
It’s a good thing to enable 2FA on your email to prevent any of this in the first place.
Hope this addresses your concern.