As a sysadmin many years ago, I learned two sayings that still hold true. "User is a four letter word". "User rhymes with loser (luser)".
At many companies, the phones will show you the caller ID information for inside calls. When I worked at an unnamed semiconductor company, it even showed if the person was calling from Sunnyvale, Singapore or Dresden. So verifying that it's Sally from HR was no problem.
Security, like most of IT, is viewed as a cost center. So they try to minimize expenses. And wind up losing money on the proposition. There are numerous papers out there on the value proposition of security. But upper management doesn't read them. They don't read anything.