* Except when I worked as a developer on a PBX. Then I had around 8 phones on my desk. I still didn't bother to configure any of them for usage as my office phone...
PBX developer who doesn't actually use the phone for communication purposes. This may explain a few things about my local Xen box
If you already have access to that system it's fairly trivial to install password capturing code.
The whole point is to engage in defence in depth - FreeBSD offers kern.securelevel to prevent you from being able to write to the file system, or change firewall rules. We have anti rootkit checking programs (do most people make regular use of rkhunter or anything similar?) Further, you need to encrypt and safely store backups. No password logging program is going to lift them from the hashes you got from the borrowed backup drives. Probably 60% of engagements I have been involved in managed to lift a backup drive from the environment, permitting only the tiniest changes to be made to live servers, thus minimising our risk of breaking things, and a (potential) black-hat's chance of being caught.
Making the hashes harder to crack makes it harder to crack into the server, live or from backups. You'd be surprised how many people forget backups.
Hardly anyone ever reads all the information that would be useful for them, at most they read what gives them the answer they want.
It's not even that - I do it when I call a client on my way to a site (if it's not in the address book). You google the name and the word contact, google returns you the phone number but not much (if any) of the surrounding information, so you dial the number.
If a moderately intelligent tech is doing it that way, of course the masses are. Remove the phone number from public access, do what others suggest and set up a 900 number that costs to call, and go from there.
Stellar rays prove fibbing never pays. Embezzlement is another matter.