* Legal stuff (eg. some algorithm detected child porn in his account, is an employee legally allowed to look at it to confirm the algorithm was correct? no.)
* Internal Politics (eg. one team has found this account DoSing their service, while the account is perfectly normal in all other ways, but due to Googles systems being so complex a single-service ban is very hard to implement)
* GDPR/Privacy laws (The law requires the deletion of no-longer needed data. As soon as his account gets banned, the data is no longer needed for Googles business purposes (of providing service to him), so the deletion process can't be delayed.
* Stolen/shared accounts. All it takes is one evil browser extension to steal your user account cookie and go on a spamming spree. Figuring out how it happened is near impossible (user specific logs are anonymized). Usually just resetting the users logins doesn't solve it because the malware is still on the users computer/phone and will steal the cookie again.
* Falsely linked accounts. Some spammers create gmail addresses to send spam, but to disguise them they link lots of real peoples accounts for example via using someone elses recovery phone number, email address, contacts/friends, etc. In many cases they will compromise real accounts to create all these links, all so that as many real users as possible will be hurt if their spamming network is shutdown.
* Untrustable employees. Google tries not to trust any employee with blanket access to your account. That means they couldn't even hire a bunch of workers to review these accounts - without being able to see the account private data, the employee wouldn't be able to tell good from bad accounts.
* Attacks on accounts. There are ways for someone who doesn't like you to get a Google account banned. Usually there are no logs kept (due to privacy reasons) that help identify what happened. Example method: Email someone a PDF file containing an illegal image, then trick them into clicking "save to drive". The PDF can have the image outside the border of the page so it looks totally normal.
Yes, it's solvable, and Google should put more effort into it, but it's hard to do.
If you had experience with this, you would know that you just described the polar opposite of how that process works in the United States. Federal law requires human verification as part of the mandatory NCMEC reporting process. If you’re employed by Google and have that impression of how it works it means the green badges doing the work aren’t known to you, which isn’t a huge shock since TVCs are barely one step above disposable barcode at Google.
Source: I’ve forensically verified enough child exploitation in the course of tech employment to make me thoroughly and irredeemably despise humanity as a species. (Fighting insurance to pay for therapy I now need, against their will, was fun too.)