Why not make in such a way? Before you can unlock to transfer domains you would receive a SMS code, then you can transfer domains without approval.
This would be good feature, I m tired to approve domains, imagine when transferring more than 1K of domains, it's a pain in the boot.
What happens if the AuthInfo Code (will in the future be called TAC) is compromised AFTER you receive it from the current registrar, but before you've used it at the new registrar? (for example, if your PC had malware/virus, and the attacker grabbed the AuthInfo code without your knowledge) Without the ACK/NACK, the attacker's transfer would go through immediately, and you wouldn't have had the opportunity to NACK (reject) the transfer (if you saw it was going to an unintended registrar; e.g. you wanted it to go to Registrar A in the USA, but the ACK/NACK email says that "Registrar B" in China/Russia has made the request. If you've designed your security well, you'd have used a DIFFERENT email for the ACK/NACK email than the SMS, or for your control panel access. [i.e. you should have a different email address for the registrar account than the one in the WHOIS for the registrant, so that a compromise of one doesn't affect everything]
You'd be in bad shape if someone did a SIM SWAP or stole your SMS phone number, and did an unauthorized transfer that wouldn't be able to be ACK/NACK via the email.
If you're buying or selling a domain name, the ACK/NACK is also potentially a very important security protection, to ensure a transfer to a new registrar is to the right one (and that it's not stolen). e.g. if I sell Example.com to Jane, one way to do a deal (lots of different ways, including escrow, but I'll use this example) would be to have Jane send me the money first, and then I give her the Auth Info code, so she can transfer it to her preferred registrar. Suppose it's at Tucows now, and she wants to move it to GoDaddy. She takes the Auth Info code to GoDaddy, and I should then see (within 20 minutes) an ACK/NACK email from Tucows in my email. It'll say which registrar it's going to ---- if it's not GoDady, but instead some Chinese/Russian registrar, then maybe Jane got hacked, or maybe she's trying to scam me (i.e. pretend that she never got the domain, so she can dispute the deal). So, having the ACK/NACK email is critical, as a safety mechanism.
Perhaps a divorcing couple has someone using a shared PC (with password manager) to login to the registrar, and check the SMS code while the true owner is sleeping, to take the domains before they leave. If the ACK/NACK email was kept more secure (separate PC at the office, or security key in a safety deposit box, etc.), one can be saved.....
Lots of different ways domains get stolen....and the report didn't really study them all properly or systematically.
I understand your pain, though, about it being tough for bulk transfers. They should fix things by allowing a single AuthInfo code for a GROUP of domains, rather than doing it one at a time. But, these
obvious things are beyond ICANN, it seems...it would be rather simple to design/implement. It's all politics, though, because registrars that lose a lot of domains won't agree to the policy, because it would make it easier to leave them....and registrants are basically ignored by everyone at ICANN, as we've seen time after time after time. (it still makes sense to make comments, though --- don't let them win by default by giving up completely!)
They really should do a complete overhaul of the transfer system. I'd love to see a "before" and "after" of the WHOIS, for example, to ensure that it's all correct (i.e. more than just the new registrar, but the new registrant too). [I think some ccTLDs do this] I know that registrars are reluctant to do this due to GDPR, etc., but they could certainly do it if the registrant at the gaining registrar consents. [and they don't even need the info to be passed to the losing registrar --- all you'd need is a link from the old registrar to somewhere in the new registrar, so that the new registrar could display the proposed new WHOIS to the old owner]. If the new owner didn't want to provide that consent, the old owner could make up their own mind whether to accept/reject the transfer, depending on their risk tolerance, what they put into their written contract, the value of the domain name, or other factors.