authentication – Does this official “Enforce MFA” AWS policy make any sense?

At the AWS officially recommends to have this policy


            "Sid": "BlockMostAccessUnlessSignedInWithMFA",
            "Effect": "Deny",
            "NotAction": (
            "Resource": "*",
            "Condition": {
                "Bool": {
                    "aws:MultiFactorAuthPresent": "false"

which presumably is supposed to enforce MFA requirement for the account.

But to me having "iam:DeleteVirtualMFADevice" makes it not very useful.

2FA to me is a second measure to protect authentication flow: you must know not only a password, but also a 2FA device.

Now with this policy – it allows to remove a virtual mfa as long as you have a valid access token.

And "iam:DeleteVirtualMFADevice" cannot be removed from there: if one removes it – then the aws console mfa setup page is broken (it says the MFA already exists, even if it wasn’t set up yet).

Am I missing something or is it a security theatre happening here?