authentication – Does this official “Enforce MFA” AWS policy make any sense?

At https://aws.amazon.com/premiumsupport/knowledge-center/mfa-iam-user-aws-cli/ the AWS officially recommends to have this policy

{

            "Sid": "BlockMostAccessUnlessSignedInWithMFA",
            "Effect": "Deny",
            "NotAction": (
                "iam:CreateVirtualMFADevice",
                "iam:DeleteVirtualMFADevice",
                "iam:ListVirtualMFADevices",
                "iam:EnableMFADevice",
                "iam:ResyncMFADevice",
                "iam:ListAccountAliases",
                "iam:ListUsers",
                "iam:ListSSHPublicKeys",
                "iam:ListAccessKeys",
                "iam:ListServiceSpecificCredentials",
                "iam:ListMFADevices",
                "iam:GetAccountSummary",
                "sts:GetSessionToken"
            ),
            "Resource": "*",
            "Condition": {
                "Bool": {
                    "aws:MultiFactorAuthPresent": "false"
                }
            }
}

which presumably is supposed to enforce MFA requirement for the account.

But to me having "iam:DeleteVirtualMFADevice" makes it not very useful.

2FA to me is a second measure to protect authentication flow: you must know not only a password, but also a 2FA device.

Now with this policy – it allows to remove a virtual mfa as long as you have a valid access token.

And "iam:DeleteVirtualMFADevice" cannot be removed from there: if one removes it – then the aws console mfa setup page is broken (it says the MFA already exists, even if it wasn’t set up yet).

Am I missing something or is it a security theatre happening here?