Very interesting. To summarise, I think the issue is that the phone gets itself into a state of waiting for a locked SIM to release itself before it unlocks the phone - the problem being the attacker could have their own pre-locked SIM they can hotswap in that of course they know the code for, and this will erroneously also unlock the phone.