TL;DR - scammers would search for every possible phone number, find out the owners' names & info, and make scam calls to them. FB tried to limit searches per IP, but scammers would switch IPs.

Seems like a safer version of this would have been to make the searcher supply more info than the phone number - eg, at least N characters of the person's name. And to tie such searches to an account. And to verify that the found people knew the searcher before allowing them to do more searches.