That makes a lot of sense and could have been what happened. It would also make it more difficult for Google to do something like ignore responses that come after 4+ rings.
I'm more curious why a "secure" PIN is simply left, automated, as a message. A more "secure" option, I would think, would be to require some sort of input from the person who answered (say, "Press 1 for the PIN" where that number is randomized, or something).