I'm not sure of the details here, but it wouldn't be too hard to make sure the reset call arrived in the middle of another call.

That makes a lot of sense and could have been what happened. It would also make it more difficult for Google to do something like ignore responses that come after 4+ rings.

I'm more curious why a "secure" PIN is simply left, automated, as a message. A more "secure" option, I would think, would be to require some sort of input from the person who answered (say, "Press 1 for the PIN" where that number is randomized, or something).