Why are IMSI and IMEI still used?

While I understand their function, both IMSI and IMEI makes tracking and surveillance possible by virtue of being persistent idenfitiers for SIM and handset, respectively.

Why aren’t these replaced with a more secure scheme, maybe something along the lines of randomizing publicly visible device identifier every now and then (sort of like Bluetooth/WiFi MAC randomization) and sending some session-details (instead of a person/SIM-identifier) over an encrypted connection?

Is it mostly (only?) backward compatibility?