Wouldn't it be easier if we call createAuthenticatedToken() from createToken() (with a hidden 3 parameter: $triggerDeprecation)? I think that's what we normally do

I wish it would be as simple, the difference here is that this is an abstract class.
Take the following example (which reflects what I have in lexikjwt):

class JWTAuthenticator 
{
    public function createAuthenticatedToken(PassportInterface $passport, string $firewallName)
    {
        $token = parent::createAuthenticatedToken($passport, $firewallName);
        
        // do something
        
        return $token;    
    }
}

Problem: Making AbstractAuthenticator::createToken() calls the legacy createAuthenticatedToken() with an extra flag that disable the deprecation notice would have no effect, because createAuthenticatedToken would be called on the final implementation i.e. JWTAuthenticator::createAuthenticatedToken(), not the AbstractAuthenticator one - which means that the flag is ignored given that JWTAuthenticator does not know about it.

Also, I need to keep the bundle compatible with both 5.3 and 5.4, which requires to keep implementing the legacy createAuthenticatedToken() in addition to the new method (it's just never called on 5.4).

I hope my explanation is clear enough, I literally spent 2 hours figuring how to fix this BC layer so that everything behaves as expected.
Btw, I just force pushed to hopefully make the code simpler by moving the logic to AbstractAuthenticator only and removing the __call() method.