They don't always make sense:
1. If an asset is modified from being AUTH_REQUIRED=true to AUTH_REQUIRED=false, all previous unauthorized trustlines remain unauthorized but can't be allowed trust (op_not_required), unless you modify AUTH_REQUIRED to true, which means sandwiching ALLOW_AUTH ops with SET_OPTIONS before/after to set AUTH_REQUIRED true and then false.
2. if an asset is AUTH_REQUIRED=false and AUTH_REVOCABLE=true issuer can't actually revoke a trustline (op_not_required).
1 - a lot of plumbing involved.
2 - (a) why is it allowed to have AUTH_REVOCABLE without AUTH_REQUIRED if it does nothing? and (b) many times asset issuers want the default authorization to be true but be able to revoke, which can't be done right now. (super common in stable coins in other networks)
What might make sense:
AUTH_REQUIRED can be the default state of authorization. It's the state of a trustline when a new one is formed.
AUTH_REVOCABLE allows the issuer to ALLOW_AUTH from true to false, regardless of AUTH_REQUIRED.
ALLOW_AUTH from false to true should always be permissible.