I feel like the biggest issues are that their whole manner of handling bot reports is needlessly convoluted, coupled with the fact that the JP side of things doesn't seem to be aware and/or care just how bad the issue is outside of their country. The only response they could offer to the outcry they addressed in a Q&A was "Keep reporting the bots" (If that was actually working, the same ones wouldn't be here still since the ARR days...).
This is the only MMO I've ever seen where the GMs need to forward reports to a separate team that goes through some manner of extensive and evidently faulty screening process before they even try to investigate.
The way things usually go is:
1. Player sends GM report that they suspect someone is botting.
2. GM goes to observe said player to see if they're suspicious and sends them a tell to see if they respond.
3. If no response, they drop the ban hammer. If they do respond, they just leave them be.
It's quick and efficient, and with how swift the GM response time is coupled with 24/7 service, it's easy to get them to show up at a time where you can be relatively certain the bot is truly AFK and not being monitored by its owner. I don't know why they need go through this extra hurdle of having the STF handle things (Particularly when their team is MUCH smaller then the GM team, if the credits are anything to go by).
The STF supposedly have special "tools" they use to investigate/detect bots, but I get the impression they're ineffective to the point where only the really poorly programmed bots that do things like spam the server with an unrealistically high number of commands in an attempt to work faster ever get caught by them. They evidently are catching some of them if the weekly illicit activity reports are to be trusted, but they might be under the mistaken impression that these super obvious bots are the only ones that exist when the majority of them are slipping through the cracks.
The thing that bugs me the most, though, is the uncertainty about whether the reports are even getting through to them in the first place, because considering how slowly even a major exploit like the Ungarmax issue was handled they seemed to have some serious issues when it came to communicating things between their different teams and I don't doubt that they still do to some degree.