The implementation in technical terms is left open yes, but they could have added a clause that settings like this (and not necessarily specifically this alone) must be respected if set. And in that case no other questions may be asked because the preference is already given. In that case the EU would have done themselves a huge favour because now they get blamed by everyone for the cookiewalls. Even though this was never the intention of the law.

What do you mean verify? If it's set then it's set. It gets automatically injected with every web request. It's not possible to make sure the user manually set the flag or if it was default, no. But in the EU the law says that tracking must be opt-in so this is perfectly good behaviour in line with the law.

How are cookie banners any better in regards to 2? Not sure what you mean by 1.

Point 1 means that e.g. the GDPR doesn't mandate a specific implementation. It describes the outcome, which is quite reasonable.

Point 2: you can't check/verify if parties, especially those outside the jurisdiction of the EU, really honor things like the 'don't track' flag.

It's unfortunate that so many companies decide to implement the requirements in the laziest and sleaziest possible ways.