Looks like a flaw, but not a serious one.
First of all the hacker has to have possession of your phone. If you've lost your phone you can (and should) remotely wipe it.
Second, the hacker only gets access to your contact list and dialing capability. Yeah, he could make creepy phone calls, but so what.