[superuser2]

In business telephony systems there is no "true" phone number for a customer.

The telco has some connection to a customer site which carries signaling data and N concurrent voice channels. A potentially large block of numbers are routed down that link by the telco. When he customer makes an outgoing call it sends whatever it wants (or nothing) as CID.

A national franchise with 1,000 stores serviced by 30 different small town telecoms might all send the national HQ number as caller ID, even though the calls do not jump through the national HQ first.

There is no will among the various telecoms to build and integrate a whitelist system that interoperates, so they leave it wide open.

You can't just find out who a phone number belongs to, and phone numbers do not have to ring to anyone on the other side to be valid outgoing CID numbers. It's unclear how such a whitelist system would help anyone, anyway.