Its similar with VAC, the idea is people don't know when it updates so you catch more people I think. If you ban people right away then people will inform everyone the hack is detected now, but if you leave it a while you flag more people.
Dunno if its the same here, it might just be easier this way or make people paranoid enough to not try the hack
Its really important to not be lenient though. It seems everyone is allowed to get caught once as long as you only use it for a few hours, which is a crappy message to send out. I am glad they at least do perma if its used long enough, but I don't know if they are strict on people coming back with new keys