This type of escalating validation is also ripe for social engineering. You said this person called 10 times. They don't need to do everything in one call. Instead the goal for earlier calls can be to gather information. You gave the example of the person trying to take over the account without knowing the login name. What information would someone need to supply to get the account name? Does that require escalation? If not, what is the value of requiring that as part of the identity validation process?
If the company is going to provide some level of support to people they haven't verified, that support will be abused as a means of passing the verification.
At the risk of being a software developer that always sees everything as a software problem, I feel like this could largely be mitigated with very simple improvements to the customer service application.
Back when this happened, that was my first question to USAA and one for which the security guy didn't have a ready answer, though probably it boils down to some version of "we are heavily regulated and continue to rely on software built for mainframes."
There are so many possible ways to mitigate the risk which should be triggered well before a half dozen attempts finally gets to a teller credulous enough to believe their excuses for ignorance.
If the company is going to provide some level of support to people they haven't verified, that support will be abused as a means of passing the verification.