Yes, I believe it has happened before. I used to keep track of weird UDRP fact patterns, but it would take me a while to find them.
There are a couple of scenarios where this sort of thing has come up. The first scenario happened a few times during the early days of the UDRP. Unfortunately, the UDRP allows the complainant to request "transfer" or "cancellation". The original drafters of the UDRP didn't uniformly understand how the domain name system works, and they believed there was a way to 'cancel' a domain registration such that it would not be registrable again. The attorneys of some UDRP complainants would request "cancellation", the name would be deleted, and then someone else would register it again. So, then they would have to come back and request "transfer" the second time.
The other scenario was usually some kind of mismanagement. The back end of the UDRP, after a transfer is ordered, is something of a mess, because the person to whom the registrar should take transfer instructions is not always clear. So, you end up with situations where some lawyer in a trademark firm follows the instructions for transferring the domain name to an account that he or she sets up, and the subsequent follow-up to the client doesn't happen for any of a number of reasons. Usually, the lawyer who did the UDRP does not have a direct communication path to the technical people responsible for the domain name. The lawyer's client contact is someone in upper management or marketing, and so there is a lack of coordination between the lawyer holding the domain name, and the tech people who are supposed to take transfer of the domain name. Eventually, the domain isn't renewed, drops, and if it is registered again by someone who uses it in a manner relevant to the trademark then, yes, they'll file another UDRP to get it back.
As far as your personal incredulity is concerned, can you have something stolen from you twice? Yeah, sure. Lots of things go on in large, uncoordinated organizations. The person with the password to the registrar account is fired in a mass layoff, and nobody in management was aware that they fired the person responsible for making sure the domain name gets renewed, etc..
That's actually close to the fact pattern of one of the UDRP's I filed last year. The company hired an outside firm to manage an advertising campaign to promote several products. When the contract expired, the company didn't realize that the outside advertising firm was the registrant of some of the domain names that were used in the advertising campaign. One of the domain names was linked-in from retail sites and on product packaging. It expired and then someone else picked it up and used it for a gambling referral site.
If I have a habit of leaving the keys in my car in my driveway, my car might get stolen. But that doesn't mean I deserve to have my car stolen. If my car is stolen, then I can take action to get it back. If I again leave my keys in the car and it gets stolen again, yes, sure, I can go after the second thief too. After a while, that gets to be an expensive way to get my car back each time, but simply because someone did something wrong to me once doesn't mean I can't go after them if they do something wrong to me a second time.
And, yes, I understand you'll have a whole bunch of silly reasons why it should be open season on any company who mismanages their domain names more than one time, but the bottom line is that if someone engages in intentionally abusive domain name registration for the purpose of exploiting a trade or service mark, then the history of that particular domain name, or whether it has happened before, doesn't matter.
In fact, if you go back and pick a random swath of UDRP cases from a couple of years ago, you'll find that quite a few of them were not renewed after they were transferred. That's usually a result of some combination of (a) the "problem" having been "solved", (b) no one person in particular being responsible for or having the budget to renew recovered domain names, (c) poor follow-up with the lawyers after the UDRP, or some combination of those factors.
One can only wonder why you are asking, though. So, to make it clear, no, you don't get a "free pass" if you go and pick up domain names that were ordered transferred in UDRP disputes and, for whatever reason, were not renewed.