No, they're directly in violation. This is fully settled; it's just that some companies are counting on it not being "the thing that gets an enforcement action".

How is ease of opt out versus opt in objectively measured?

Most of the time both options are presented clearly and within a few pixels from each other, but opt-in is usually slightly more eye catching and/or more appealing. But the effort in terms of distance for mouse movement or number of clicks is the same. While that’s a design trick that will improve % of opt-in, how can it be argued that the opt-out was not as “easy”?

In recent pop-ups, you are technically opted out by default(or at least that is how it is presented, I have not actually checked their cookie activity).

It is two clicks to confirm that choice and dismiss the pop-up versus one to accept all cookies but if you choose to interact with the site and ignore the pop-up instead, you are supposedly non-essential cookie free by default.

Then how is it some websites (I think the one I'm thinking of is The Sun or The Mirror) paywall the decline option? Presumably this is just illegal?

Except there are plenty of websites that are: accept cookies (yes) (no - you must pay), which is an extreme breach of GDPR.

But GDPR is toothless and ill thought out.