A properly setup system is secure. Although, I have more than once come across systems not setup correctly - even in the analog world. Someone once showed me a CellC number that you can dial, which allows hairpinning -- you get a dial tone, and you can make International calls from there. I suspect that this was from a poorly tested PremiCell implementation. But equally, if the engineers installing are not educated in their products, they don't know to look for such things.
Every responsible VoIP provider should apply credit limits to mitigate this sort of activity.
Switch Telecom sets limits in accordance with anticipated customer spend. E.g. If a residential customer signs up, they are generally limited to R1,000 initially while a small business may be limited to R3,000 or a large business to significantly more than that. As usage gets to say, ~75% of the limit, we then pro-actively re-evaluate if the limit should be increased. If the activity looks potentially dodgy (e.g. sudden increase in usage in a single day), we would generally investigate further and/or call the customer for authorisation before increasing their limit.
Ultimately, if the customer provides their own PBX, then they are responsible for the security of it and any calls made through it. The telco (whether a VoIP provider, land-line network, mobile network, or other) must, however, take reasonable efforts to mitigate against fraud.
Any VoIP provider (or other telco) who says it is the customer's issue is deluding themselves; when faced with a bill that they cannot afford, customers will dispute, default or pay late. A provider that doesn't make any effort to help protect their customers will ultimately suffer the consequence of their inaction through increased bad debt.