You can blame lax/non-existent GDPR enforcement for this.
This is against the GDPR (and no better than just not having a consent flow in the first place) but is allowed to continue since nobody cares about enforcing it.
Actually, the only reason the consent flow is there is because advertising providers require it (but only require the presence of one, ignoring the actual GDPR compliance of it).
I doubt that advertisers require a bogus consent flow implementation.
More likely their legal checkbox is that GDPR rights are properly protected, such as via a consent flow, if needed. That normally requires an assessment of the rights impacted, the data collected, and the required consents, and an implementation of the flow itself to cover that.
This assessment has to be done by the app or website displaying the advertising. And also by the advertiser. As you can probably guess, writing such an assessment is knowledge work and costs time. People quickly noticed that if they just skip this and put in a consent flow, bogus or not, no one will care... So money saved?
Probably the market was right, most companies will save money that way. Which is both unfortunate but also logical.
However, it's also a huge legal liability if your app or website operates in certain sensitive domains. Such as healthcare and politics, and possibly social media.
Because it may turn out the product didn't have the right to collect any data. And that sensitive data was collected (could be inferred). And that the advertiser should have known this, because of a bogus implementation consent flow.
Then the final question is: What's the damage? Why is this is a 'huge' liability?
Answer: At this stage you're looking at class actions in the US, or 'snipperschade' claims (mass 'little-damage' renumeration) in the EU.
Art. 82 of the GDPR provides for the possibility of compensation, including for immaterial damage. Successfully claiming damage under that article lacks a large corpus of case-law. It is 'in development'. Largely because the requirements of evidence are difficult to meet in most cases. Especially those not involving sensitive categories of data.
In the event of a mass art. 82 claim for sensitive data, one may expect both the advertiser as well as the product displaying advertising to be targeted. And lawyers would be incentivized to pursue this via a mass 'class' action. Which magnifies the claim to a portion of the affected EU population (500 million) and an amount of monetary compensation.
So let's say 2,500,000 * 30 euro's = 75,000,000. So a fairly small portion of people (0,5%) and a small amount of remuneration. Amounts to 75 million in damages. Lawyers take home a percentage of that.
In essence this is a lawsuit waiting to happen. But probably not to you, and not to this app.
This is against the GDPR (and no better than just not having a consent flow in the first place) but is allowed to continue since nobody cares about enforcing it.
Actually, the only reason the consent flow is there is because advertising providers require it (but only require the presence of one, ignoring the actual GDPR compliance of it).