Why aren't IMSI catchers rendered ineffective by standard MITM defenses?

tl;dr - the protocols were developed prior to MITM being perceived as a threat; the deployed infrastructure now serving billions of cell phones worldwide can't easily be changed to add cell tower validation; and governments have no interest in fixing this issue.

Cell phone protocols differ from IP protocols in that they were never a peer-to-peer network of untrusted devices. The original cell phones were analog, with only a small channel of digital data to carry call information. These analog protocols were developed in the 1970s when the micro CPUs had almost no power or storage, and the only security thought was to ensure accurate billing. Also working in the cellular companies' favor, the only equipment authorized to transmit on those frequencies was under full control of the cellular manufacturers; companies like Motorola had a virtual lock on all the equipment on both ends of the call. The protocol they created was such that the cell phones implicitly trust the cell towers for all operational information: signal strength measurements (for optimizing battery life), network IDs (for billing and roaming charges), and encryption requirements (which need to be turned off on a per-jurisdiction basis.) The phone responds with its ID in order to register to receive incoming call information, and the phone company authenticates the ID to ensure proper billing. But in all this, the phone never authenticates the tower.

Also, all this metadata is exchanged in cleartext. When digital cellular protocols like GSM arrived, nothing much had changed in the security model. In the 1990s, the main security threat was eavesdroppers, so laws were passed in the US prohibiting listening in on cell calls. Digital voice data was easy to encrypt to protect the privacy of the calls, (supposedly a government agency ensured that weak encryption algorithms were selected.) Otherwise, the existing cellular protocols continued to work without many security issues (security issues primarily being defined by the cellular companies as "people hacking our systems to make free calls".)

Stingrays and other IMSI-catchers violate the cell tower agreements by producing an illegal signal, pretending to be a cell tower. They forge a signal strength response of "excellent", which causes the phone to not switch towers. They identify themselves as various common network IDs, so the phones do not switch away to avoid roaming charges. They control the encryption flag, which will cause a phone to downgrade security either to the least secure algorithm, or disable encryption completely. As far as a MITM goes, they may pass along the phone call data to a legitimate tower, or they may simply send back an error code the user sees as a call failure.

Nowhere in the protocol designs was a thought given to malicious actors transmitting on their licensed frequencies. Illegal use of airwaves has long been a felony, and their original approach was legal: "if someone even tries to spoof a cell phone, we'll have them arrested and locked up for a decade."

But it turns out that not everyone is afraid of committing a crime, least of all police departments armed with warrants and Stingrays. Private researchers have also exploited loopholes in the law, where they transmit cell tower signals legally on unlicensed frequencies (the ISM band). This same band happens to be allocated for cell use in foreign countries, so a quad-band phone in the US will happily receive the faked signals.

Virtually all modern phones technology is rooted in GSM technology, which has been incrementally updated since (Japan is the main exception left). GSM originated in Europe in the 1980s, when all phone networks were (quasi) state-run. In addition, this was in an age when encryption was still banned for export purposes, so the GSM standard was intentionally designed to be able to run with weak encryption. This allowed the export of GSM to Eastern Europe.

Despite this rather Cold War view, GSM was definitely intended as a global standard, so GSM phones by design believe a network that claims not to support encryption.

Of course, in todays world, a honest phone maker would intentionally ignore such vulnerable networks. The fact that they don't is probably a good indication of how much you should trust your phone vendor. It's fair to say that your phone intentionally connects to a base station that is known to be spoofed. The MITM attack window is by design.

You can compare the IMSI catcher with and SSL downgrading attack. If you look at how GSM works, it supports different protocols, classic GSM, GPRS, HSDPA, 3G, 4G, ...

Each of these was developed at their own time and the most basic protocol allowed for optional encryption or was using a "proprietary" encryption protocol that was vulnerable.

Cellphones need to support different protocols, because not all countries have the latest protocol in place. This means your iPhone can still speak basic, vulnerable GSM.

So what these stingrays do is downgrading the connection and forcing your phone to communicate a vulnerable version of the protocol