The most likely scenario is that the certificates and boot manager are updated, and then you reset certificates to default. In that case you need to run securebootrecovery.efi.

Or when you later enable Secure Boot on a device installed without Secure Boot enabled with new boot manager, but the new certificates are not in the DB.

Or when you boot an ISO from a manufacturer that has the new boot loader on another machine that does not have the certs.

The system will not allow applying 2011 cert to DBX in case the system is still booted from that boot loader. So it can only happen with external media or when you manually downgrade your bootmanager after you added 2011 cert to DBX.