Some will suggest this was deliberate
But the fact that LTE and especially 5G was designed with IoT in mind, as well as being aware that much of the world still wants phones to cost $20 or less, doesn't leave a lot of room for mandatory security features.
The spy agencies don't have to plant holes, they just need to sit back and wait for the inevitable shortcomings and mistakes. It would be nice though to see 3GPP quit focusing on more and more speed by using larger and larger chunks of bandwidth, and have a release that's focused on security. It can be optional for end devices, that's fine, but it should be mandatory on the carrier side when the end device supports it. Then we just need Apple & Google to provide us with a way to tell if our devices have connected in a secure manner or not (make it show LTES and 5GS instead of LTE/5G in the status or something)