all you need to do is set up DRL to only make 999 calls and put all the vm ports into that DRL so when the vm card has been hacked it cant do anything as the phone system wont allow it
This could become a problem if you use your voicemail to transfer calls to cellphone or other external service.
This is true. In cases it will be the Toshiba tech that sets up any outside notifications or transfer, so you should be able to evaluate this per customer. If they do not have any notifications or offsite transfers you could not only restrict all outside calls in DRL, but also disable Tandem CO connections in COS.
Lately I have been setting up all VM ports with their own DRL that can only dial local numbers and nearby long distance numbers in an Allow DR table. The VM ports also get their own COS. If I don't setup offsite transfers than I will disable Tandem CO connection as well. Hopefully if another tech sets up offsite transfers in the future they will test it and realize the problem. If the customer only needs message notification then you can still leave Tandem CO connections disable.