Why?

At the risk of getting this completely wrong because I didn't go back and re-read all the surrounding context, The firmware doesn't care about the validity timestamps because its not expected to have a reliable way to know what time it really is, but I think the issue is that new OS kernels will be signed by the 2023 key and not the 2011 key, so any system which only has the 2011 key and does not get updated to also have the 2023 key isn't going to be able to verify new things that are only signed by the 2023 key. The hardware vendor has their own key and can sign an update using their key to include the new 2023 key so both old and new stuff can be validated and Microsoft has signed an update for the 2023 key with the 2011 key so systems can validate it to load that key into the firmware key store, but at some point systems will need to be booted into the firmware EFI environment to add the key, if they want to keep the Secure Boot validation feature enabled and use new software or new add-in cards with EFI option roms.

If I've got the details wrong maybe someone will correct me ;-). My workstation already has 2023 keys according to the Firmware app as the vendor is still issuing updates which I apply regularly from lvfs, I'll have to check my personal machines though which I'll get around to eventually.