In the two-factor system, setup is done using the standard validation methods and the context parameter, which makes the requiresSetup method and other setup methods in the abstract class redudant and confusing.
(Also, there is some code related to this setup in the controller, but it doesn't actually appear to render anything).
I don't disagree with you. It's a vestige of some refactoring that happened during development. However, I believe there is some code paths that could still be triggered, so it's not something that I would remove at this point. It will be something that's cleaned up when a BC break isn't a problem (hint hint ).