"...but the operating systems used are pretty old and thus fairly robust."
I'm sorry, but just because software is old, it doesn't mean its good. Windows for example had perfectly well documented exploitable flaws in its API for decades (LNK Autostart "bug" used in Stuxnet).
Baseband code isn't looked at by many people. Large parts of it were developed in the early 1990s when people didn't know about security. It was never tested against malicious attackers.
In fact if you look into the whole picture, you will even find deliberate security holes. For example your operator can use the SIM toolkit to just change the number you are dialling to everything you want. This probably even works for other operators when you are roaming. Trusting that your call actually arrives at the number you have called is the trusted element in many "secure" systems. You'd be surprised how many PCAnywhere installations relied on call-back for security.
Mobile phones (both smart and dumb ones) aren't secure devices, they probably will never be. That's why the part the operators care about is in an extra module (the SIM). We need to stop thinking that those devices and networks are just secure black boxes.