Because the 401 says how to authenticate and provides the random challenge, and the client subsequently replies with:
Authorization: Digest username="user1",realm="asterisk",nonce="1655738079/0a5bc3a62055bfd8018556dcd113ccd4",uri="sip:192.168.0.12:5060;transport=UDP",response="20fcef6c8ab60e75301c2a1a6f24eb11",cnonce="7b53f90ce4c2d181464ae9a1b5cc7c37",nc=00000001,qop=auth,algorithm=md5,opaque="74da5fb649b889a2"
which is based on the password and the random challenge.
The ones that get the 401 don’t have such a header. You’d also get a 401 for an out of date random challenge (nonce). This is also a standard part of how SIP authentication works.
If the same device is responding to 401 in some cases, and not in others, it means the 401 is not reaching it, in the second category of cases, but it does have a password to use.