I agree what you say, the company that receives the KYC should be careful to check the incoming identity data, because if it is still like that, it is unfair to the person sending the real data.
I think that there is no way to verify documents properly. Of course scammers and dishonest project participants use this. However, I suppose there is a huge amount of fake ICOs which collect and sell our personal documents and this is much worst. So where is the truth?
If the way you talk like this then this is very bad since our personal identity is very high value.
Selling them by scam ico will impact to us. Maybe there are some project already sell our identity to other scam project. Its scary