It depends on what your threat model is. The attacks you're talking about are real, absolutely.
For the threat model of a physically local attacker with either the right timing (for grabbing an incoming fax) or the right knowledge (for the phone system equivalent of tcpdump), you're quite right that fax is insecure. Likewise for state sponsored adversaries or certain organized crime groups.
But if you just want to make it hard for people scanning the internet to see what juicy corporate espionage they can find and resell, without specifically targeting you, fax is probably less vulnerable to that threat model than, for example, an undermaintained email server. Likewise if you piss off script kiddies somewhere on the internet with botnets and exploit kits, your website is probably a bigger risk than your fax machine.
For the threat model of a physically local attacker with either the right timing (for grabbing an incoming fax) or the right knowledge (for the phone system equivalent of tcpdump), you're quite right that fax is insecure. Likewise for state sponsored adversaries or certain organized crime groups.
But if you just want to make it hard for people scanning the internet to see what juicy corporate espionage they can find and resell, without specifically targeting you, fax is probably less vulnerable to that threat model than, for example, an undermaintained email server. Likewise if you piss off script kiddies somewhere on the internet with botnets and exploit kits, your website is probably a bigger risk than your fax machine.