This actually is not a bad thing. If an unofficial client MITM the whole registration process, it’s much harder for the true account owner to prove that he/she is the legit one.
Also, it doesn’t really require a client to register; Telegram can be accessed from a browser.
Compared to login, MITM on registration means the culprit knows the IP address and the time of the registration, which is usually significant on claiming the account back.
I don’t have a spare number to test, but I’m pretty sure entering a phone number in the web sends a SMS code. Do you have concrete evidence that it really doesn’t work?