The telephone dial-in option should've been separate - if the user chooses to enable it then they can fall back to shorter IDs, while meetings that don't need it (or where it doesn't make sense anyway - screen shares, presentations, etc) would use longer, more secure IDs.
As we've used it at work, the phone dial-in option is the backup plan -- useful when people can't set up their computer's microphone correctly, or lose Internet access for whatever reason.
The "just works" nature is why Zoom is popular. No one wants to have every meeting start with "Is Larry here? Oh, I think he's trying to dial in. I'm going to cancel this meeting and send out a new ID so he can dial in. Everyone watch for that so you can reconnect"
You could even include the option to get approval - pop up says "Mx. Caller ID is calling from 555.555.5555. Approve?" Obviously there's no way to get in through random dialing. And if you get a pile of requests, provide a way to filter incoming numbers and disable the calling ID as soon as everyone is in.
That's even assuming that anti-DOS protection on the phone line is impossible.
Even if the phone dial-in ID would be enabled by default (which isn't what I am suggesting), the extra latency and cost of brute forcing them over the phone network will make these attacks much harder.
