I don’t understand the above discussion either.
The bug is very simple: if the mode is not verbose, then no cleanup of UserAuthTokenLog is performed at all, ever. The if must go.
The original implementation only logged when SiteSetting.verbose_auth_token_logging is true. Which still had the problem that after disabling it, the most recent remaining logs would stay, but that’s a small thing.
But this change made the logging unconditional (“The generate, rotate and suspicious auth token logs are now always logged regardless of the verbose_auth_token_logging setting”).
TLDR; That change forgot to make the removal unconditional as well.