I agree with what you've said, but I speculate the path they are taking is to dump all responsability onto an age verification corporation instead, so they can avoid being fined in the first place.
Can they seriously be stupid enough to not consider that creating that new "verification industry" is just going to create a brand new super-juicy target that fucking
everybody is going to try to hack on a regular basis? Skript kiddiez, muh Russians, the Chinks, the Five-Eyes gov'ts (naturally), the jeets, literally everybody is going to try to steal that immensely useful data. It'll only take one breach to cause no end of problems for anybody forced to use that system (i.e. every user of every website that uses it).
Of course, the cynic in me thinks they know full well that's what's going to happen, and they don't give a shit because they'll make tons of money off the new industry (and possibly also from the "identity theft protection" industry if they own shares in business there too).
ETA:
Also, I truly wonder how much "immunity" it's going to grant web sites and users even if they do move to these services. ID verification services for IRL purposes already exist; I've been places (for work and pleasure) that just scan my state-issued DL (it's got one of those neat 2D barcode things, not quite QR but same idea) to "verify" that it's real. Or at least "valid." Those aren't foolproof though, and let's say it's a bar or nightclub that's doing this, and they're ensuring it's 21+ only by refusing entry to anyone younger.
What happens when some 17 year old girl gets through on a fake ID, slipping past the bouncer or sneaks in the back door or whatever, then hooks up with some unsuspecting guy in his 20's who's operating on the (reasonable) assumption that every person in the club has been vetted to be over 21, i.e. "legal." Then her parents find out where she was and figure out she went home with him, and turn him into the cops. Does he have a valid defense? Is a third-party age and ID vetting, via another third-party, adequate? Does the venue have any liability (civil or criminal)? Does the vetting company? Is he going to jail? He
did commit statutory rape after all, and in lots of places, those laws are pretty strict and offer few (if any) exceptions. "She had a fake ID" has been held repeatedly not to be adequate even if he can prove it
was fake. All the state cares about is whether adult Tab A went into underage Slot B, and sometimes there's no other considerations.
Now take that nonsense (yes, it happens) and move it online. Let's say, oh, match.com or one of the other dating sites. They've had their own breaches, so they might be pretty eager to move the ID/vetting process to a third-party. So now, same question. Some dude in his late 20's farts around on the dating site, meets a pretty woman whose profile says she's 19, and of course the site uses third-party ID and age verification, so it
should be safe, right? So they talk, and decide to go on a date, and end up banging on his couch. Then, turns out she's 17, and the same thing as before happens -- parents find out, call the cops, etc. Again, does he have a valid defense?
Three separate parties (the dating site, the ID verification company, and the woman herself) all represented her as 19 years old and the two third parties vouched for her. But, as above, the act happened, and adult Tab A went into underage Slot B. What happens?