Because --keep-until-expiring is not the default for certonly or run. It should be though (and require --force-renewal to override). This is the reason why we get so many rate-limited visitors! Almost no one knows about --force-renewal, which is why renew is a safe command.
--keep-until-expiring, --keep, --reinstall
If the requested certificate matches an existing certificate, always keep the existing one until it is due for renewal (for the '
run' subcommand this means reinstall the existing certificate). (default: Ask)
To make matters worse:
If a certificate is requested with
runorcertonlyspecifying a certificate name that already exists, Certbot updates the existing certificate. Otherwise a new certificate is created and assigned the specified name.
https://certbot.eff.org/docs/using.html#re-creating-and-updating-existing-certificates