When using a legitimate interest (opt-out) as a legal basis, the interest must be both legitimate AND outweigh the data subject's rights and freedoms. This requires a balancing test between the various factors to be performed first.

Similarly, you can't just legitimize anything with consent (opt-in) – the consent must be valid, and of course can't override more specific laws. You can't consent to something illegal.

So no, failing to use legitimate interest doesn't mean it's illegitimate or that consent could always be used. It could also mean that the balancing test failed, or that laws prescribe a different legal basis. E.g. the “cookie law”prescribes consent for non-necessary cookies and similar technologies.

It becomes clearer if you look at it in terms of core business. So yes, they can collect X and Y because that's their core business and directly related to the product.

When it's for marketing, telemetry or similar purposes, it's tangential data, which need not be illegal or immoral to be an "illegitimate" interest. It becomes more of a dark pattern when they present a selectable option for "legitimate interests" - at best malicious compliance. They might think it's legitimate because it makes them money?

Similarly in the vein of malicious compliance is offering a cookie consent banner. As far as I know, they only need to do that if they're tracking you or storing TMI/PII. Worse is, it works, too, because now everyone is complaining about the law and not the companies engaging in these dark patterns.