Why don't CDNs require authentication to access static files?

The reason for this is large scale applications. When you have large scale applications, checking for authorization takes unacceptable amount of resources. Thats why static resources, like pictures, videos and other content, are stored externally on static CDN servers using a random token, and then the authorized response can include this token.

This means they only need a few replicated database servers, and then they can have large amounts of CDN servers that cache each other permanently.

Distributed servers is what makes rotation difficult aswell, as then the static CDN servers need to be told to rotate that value. And that incurs unacceptable resource usage, as that needs to be done periodically. As opposed to a random value only needs to be set at upload.

Even calculating a md5 hash, generating a random value or something that seems "simple", can be a heavy lift for a distributed CDN server to do.

So the server is a simple storage of files. Basically, all authentication and generating of random values happen on the "active servers" (that run code), while the static servers only store files based on filenames, and serves files based on filenames.