That's an interesting and very simple exploit, easily achieved.
As said above Netflix has assumed the security of the medium over which this authentication happens, but they have no control over it, so the assumption is flawed.
I guess the fallout from an exploit like this is limited to a) someone using your netflix account to watch stuff and b) the legitimate owner being locked out until they reset the account themselves.
However, I wonder what other companies and systems use the same auto phone call method for verification? I reckon there could be a lot more systems need looking at in light of this.