Tip of the iceberg
Seriously.
CLI spoofing is the least of how dain-bramaged telco security practices are.
Once past the gates the assumption is that everyone in the telco kingdoms can be utterly trusted. There's no security in place for anything.
The scandals about a decade ago regarding hijacking of unassigned numbering ranges belonging to various countries for use as porn lines underscored that - and the fundamental non-security of telephone number routing has never been fixed from those days (the hijacking stopped because it was no longer profitable, not because it was locked out by improved security)
Yes, all this shit can be defended against - but doing so costs money and that means reduced profits.
Spoofed CLI would stop in a heartbeat if Ofcom started targetting telcos with punitive action for failing to detect and prevent it.