We thought about that also. However, when you change a domain name or change one of the alias names than a hash would not work any more. Encrypting it with a hardcoded key only "obscures" the passwords (until someone gets the bit secret out of the code). Encrypting it using the private key of the PBX (used for TLS) would be a possibility.
At least the sys admin login uses a hash for the password!
And of course, file system access should be strict. This is not a public area.