Why might a successful exploit using these vulnerabilities still result in an inactive or unusable account?

Even after successfully creating a privileged user, the account remains in an ‘unactivated’ state. Activation requires the attacker to click a link sent via email, which only works if both the email sending function and user registration are enabled in the Joomla backend. Without both, the account cannot be activated or used to log in, as demonstrated in the Joomla 3.4.4-3.6.3 Account Creation & Privilege Escalation Test Record.