Exactly, I came here to say this!

> This two-factor system is generally secure. The space of all 6-character alphanumeric confirmation codes combined with all possible last names is astronomically large, making it impossible to “guess” a valid pair.

Depending on the threat model, the attacker's goal might not be to guess a single pair but to access any valid pair (of a booking with a flight date in the future, or maybe even in the past). Suddenly you're looking at thousands of valid booking codes and the attacker can try a couple dozen of common names. Brute-forcing valid pairs then becomes relatively easy.