One fix that was mentioned in the comments that would have been easy to implement (and, frankly, bizarre it’s not implemented yet) is confirming password when performing such critical actions as removing or adding devices/telephone numbers.
I just tested this on my iphone and it absolutely asks you for a password before you can touch the icloud phone number. I suspect the victim was compelled to either enter or hand over this password when the phone was stolen. It's not out of the question that the brother forgot this happening consider how stressful the situation would have been.
Unfortunately I don't have an iPhone to check, but another comment [1] suggests that this may happen if you physically change SIMs. My brother said they didn't ask for his iCloud password, which makes sense: if they had the password then they wouldn't have needed the phishing step afterwards.
At this point I will just stop commenting on this post as it seems like either Apple already fixed this or some of the most critical information has been omitted by the author. So we are just guessing and raging for no reason.