Actually, they have been doing that for quite a while; say a couple of years. Yet it still works, and we only hear about it when some organization is hit with a hefty phone bill because their PBX server has been abused.
The West Australian is running a feature article on various (undisclosed) cases where PBX systems, some traditional while others are IP-based (and exposed on the Internet) were abused to make phonecalls to foreign countries.
While looking for more information, an article from 2005 showed up which describes what happened to a couple of organizations (hospitals and businesses). The telco companies tend to ask the victim organizations to pay up the phone bill for calls that the phone phreaks made.
But now things are moving more towards the Internet, where attackers can be anywhere in the world and the cost of a packet is much less than that of a phonecall!