I've seen freshly built networks about 5 years ago that had no encryption or authentication what-so-ever on their SIM cards. Anybody could "brick" any SIM with an OTA command to overwrite the IMSI file, or intercept SMSes by overwriting the SMS service center address, etc.
SIM vendor didn't want to install crypto keys for free, network operator didn't understand the importance...
1. Use a USB SIM card reader to see the contents of the standard files on your SIM to see if encryption is enabled.
2. Use a SIM-OTA system to send a command and see if it works. For example, overwrite your Service Provider Name (SPN) file with "Foobar", reboot your phone, and see if you now see this name instead of "AT&T" (or whatever).
3. Build your own SIM OTA system and do the above. This is easy. You just need a way to send SMS with the OTA bit set: e.g. a USB GSM modem on a network that allows it or an internet SMS gateway that allows it.
I built a commercial SIM-OTA platform about 6-7 years ago that's sold by a big OEM. This was interesting: SIM card vendors really don't like the idea of network operators being able to independently do stuff with the SIMs they buy.
SIM vendor didn't want to install crypto keys for free, network operator didn't understand the importance...