Cracking software certificates?
If you think that's such a simple thing to do, how come we aren't reading about people cracking Google and Apple's HTTPS certificates? Sure, once in a while someone fools a registrar into issuing something they shouldn't, but it is pretty simple to give each carrier its own carrier level certificate (which they are responsible for securing) making them the ONLY issuing authority for user certificates (i.e. software SIM) You can load up any number of SIM certificates from whatever carriers you want, and select them in the Settings menu (however iOS/Android handle the GUI for this)
If someone finds a way to crack public key certificates, we have way way bigger problems than being able to impersonate someone's phone. Like being able to impersonate POTUS and give orders to fire nuclear weapons kind of bigger problems.