I am sorry to read the issue you have had. I know about 5 years ago I had 3-5 PBX hacked due to a vulnerability in FreepBX and unfortunately when they released the information, and from the time we became aware of the vulnerability, the PBX’s were already compromised.
Since then, I do 3 important things… 1. enable the responsive firewall and only allow UCP from the internet. 2. Ensure FailToBan is enabled and change the values so the reset time is longer. 3. set PBX to auto update security updates (and modules if you like). I also run nightly Backups to FTP.
I use to configure our UTM to block all port access except for the essential PBX ports however I find the Responsive firewall and FailToBan does a great job. I see a lot less of hack attempts by changing the FailToBan reset times to be 1-3 days.
My company provides Cloud PBX based on FreePBX Distro and in the last 5 years we have had no issue following the steps I mentioned.
I should also mention we set the SIP Auth password for devices and these are generally not available to clients however if the client wants to set their own password we make sure it is strong and we can check that for weak password detection as found under the Reports Menu.