These people aren't "using" numbers that they own. The phone system largely does not track or care about the actual source of a phone call, and the caller ID value is only voluntary metadata that is not expected to correspond to the source of the call (it often doesn't in legitimate situations). The telephone system simply doesn't have a sense of "from" in the way that even protocols like email do; most telephone equipment neither knows or cares who the call is from. You don't need control of a single telephone number to introduce calls into the system.
STIR/SHAKEN was created essentially to address this problem by introducing a strict sense of the origin of a call for the first time. STIR/SHAKEN is still early in its process but it does already make it easier for the industry tracing group to determine the actual source of these calls. STIR/SHAKEN compliance is also relatively expensive so it has sort of created a pay-to-play situation, both raising prices a bit and introducing a sort of KYC to the telecom industry where getting VoIP termination service now often involves sending the provider a passport, business registration documents, etc.
And for what it's worth, getting a phone number for inbound calls already involves a fee and $1/month is actually pretty close on for an average. It goes as low as around $0.20 a month from low-cost bulk providers and as high as $8/mo from some more consumer-oriented services (that nonetheless offer DIDs). It's just that control of a phone number (prior to STIR/SHAKEN) only matters for inbound, not outbound.
> The phone system largely does not track or care about the actual source of a phone call
Sure they do. When I worked for a small telecom, the provenance of every call was meticulously tracked for billing purposes. Figuring out who to bill for what on each link of the chain is tricky and requires excellent recordkeeping.
That system is entirely unrelated to Caller ID, though.
It's also unrelated to who's actually calling - only the originating carrier. In the case of VoIP gateways (where basically all of this traffic ultimately originates), billing ANI typically gives you one number for the entire carrier that handed over the traffic. Since these calls often traverse multiple carriers (across multiple countries often) that's usually a billing indicator for a carrier that's already one or two steps into the PSTN.
ANI does tell you something, but it is not the number of the caller, it's an identifying number their carrier has chosen to use for billing purposes! For most calls not originating from POTS that's basically an arbitrary identifier and normally different from CID and other properties of the caller. Even on a lot of POTS calls it's different, for example, with institutional customers using PABXs where there is usually only one ANI number regardless of the number of DIDs etc they possess.
Then the price is not right. Make it expensive from the start, and then gradually give back most of the price when the user has had a good standing for long enough.
Unlike IP addresses, phone numbers don't need to be "routable" to originate a call. Most spam robocalls are made from spoofed numbers, often from a randomly chosen number in the same exchange as the recipient.
