@pavel that would require patching CommCenter/rild if not even the baseband firmware. On iOS that means jailbroken (insecure) phones, on Android that might work with custom ROMs.
IMHO location tracking is not that severe. An RBS could take over the whole communication like SMS, Internet, etc. or be the entry point for RCE in the baseband firmware.
@pavel
Limiting cells to known good ones might not be feasible for protesters, journalists, etc. in practice.
Also attackers could use the same "good" cell ID for an RBS. The phone would then attempt to connect to it, especially if it has a stronger signal. Indicators for compromise here would be the signal strength and, if the attacker does not collaborate with telcos, a failed authentication attempt. Both is used as detection criteria by CellGuard.