If someone has your bank account and bank’s routing number (which is also not secret), they can make fraudulent ACH transfers and payments from your account. Of course it will most likely be caught as fraud some time after the fact, but just those two bits of not-secret info are enough to grief someone.

AFAIK that's US thing. In normal countries bank account numbers are not a secret. The worst thing that can happen is someone sending you money.

Yes and no. Yes, theoretically you can initiate ACH transfer with just the account number. But practically, you will need to have a bank that would allow you to do that and agree to be on the hook if the transfer is going to be reversed. Which means if you are a criminal who wants to do it systematically at scale, you have to be big enough to have your own licensed pocket bank. Which is not a service available to a random criminal. Of course, a random criminal could forge a check with your numbers and cash it, but the account owner would rarely be on the hook for the funds, it's whoever agreed to cash the check. It can cause significant annoyance and inconvenience to the real owner of the account (including having to change account number and all accompanied legwork) but rarely results in funds actually being removed from the rightful owner. The banks prefer this system to the alternatives even with the risk of fraud.

Yes but there are steep penalties for bank fraud so it is not especially common