It sounds like this is because the users had MFA re-enabled at some point after their initial registration, as you mentioned. The documentation says, "If per-user MFA is re-enabled on a user and the user doesn't re-register, their MFA state doesn't transition from Enabled to Enforced in MFA management UI. The administrator must move the user directly to Enforced.:
I don't think it would be because the app password isn't created, since the documentation also says, "If the user hasn't yet registered authentication methods, they receive a prompt to register the next time they sign in using modern authentication (such as via a web browser). Users who complete registration while in the Enabled state are automatically moved to the Enforced state."
This would indicate to me that as long as they either re-register or complete the registration when the MFA is initially enabled, the status should change to Enforced.