Also found the /r/VOIP subreddit [1] which has plenty of reading.
Can you remotely update firmware on modems?
Some devices can be updated remotely as these helpful guides explain. https://www.draytek.co.uk/support/guides/fw-remote https://www.ewon.biz/technical-support/pages/firmware/modem-...
So can a specially crafted string from the phone line be used to update firmware on ATA's? If they can handle v23 protocols for Caller ID, this indicates some modem capabilities does it not? So can the device differentiate which interfaces the commands are coming in on?
Why do people implicitly trust the telco's? Here in the UK, if you can get fast broadband, basically anything above ADSL2+, you'll be connected to a Broadcom cabinet. Broadcom have their bugs as well, you can find them on their website, but its a less common attack vector because its not public facing as such, unlike calling a business on their freephone number and then getting a second dial tone like in the old days of phone phreaking.
TLDR is just look at these devices as circuit boards, convention can be used to hide attack vectors and whilst the circuit design can help make a device secure, the easier or more convenient it is to update a device, the easier it is to hack, its not like taking a EEPROM out to blank under UV light and re flash it, is it?
That said, PABXs I worked with have built-in software modems (both POTS and ISDN, needs to be explicitely enabled) with remote management capability and there is also dedicated web portal for management even if device is behind NAT (paid feature). Whether you want to trust hardware/software you have no control of - that's another story. For "big" PABXs partnership between manufacturer and installers usually lasts for years.
You could also get an ATA (https://www.amazon.com/Grandstream-HT801-Single-Port-Telepho...) and plug a traditional phone into it. I used one of these at home for a long time. Just realized it's still plugged in an running and I threw out my last analog phone over a year ago!!!