KYC is literally for this, we can't do anything more than that, if an exchange asks for KYC and somehow still doesn't get the right guy that means there is nothing else they should be doing. Hell I have recently bought a yoga mat and didn't give any other information then my address so they can ship it, I bought a game from steam and never really gave ANY info, my name and address they asked there were all fake and nobody checked it twice.
So, exchanges are already doing something much much more than what the other ecommerce are doing, we should not be asking them anything more. If there is a hacking going on and people withdrew, just use their KYC to catch them, give all the info you have to cops and they will chase him, if not that means its not exchanges fault.
~50$ - that's how much you need to pay for KYC photos on darknet.
~100$ - that's how much you need to pay for credit card that is registered on random guy.
Also ICOs scammers has thousands of ID from their KYC that they demanded from their clients. Sometimes i think that this is a main income from today's ICOs. You get 1000 bounty hunters that perform KYC to get reward and you have 50 000$ from darknet. You don't need to sell even a single token during ICO.
Any restrictions will only makes things harder for honest guys. Scammers will always find a way to scam.