Ideally, the issuer is able to investigate what type of fraud exactly happened on the card, and in case of a suspected compromised card number they can choose to simply not perform account updates or carry over tokens to the new card.

Practically, it's of course not that simple or clear-cut. As most things in payments, this too is a trade-off of cardholder inconvenience, support effort, fraud losses etc.