Even if the phone dial-in ID would be enabled by default (which isn't what I am suggesting), the extra latency and cost of brute forcing them over the phone network will make these attacks much harder.