It’s not exactly a short story or a relatively easy one to explain (especially as I’m by no means an expert). However, the basics are that it’s generally accepted to be part of a secure cookie protocol.

This article: http://www.cse.msu.edu/~alexliu/publications/Cookie/cookie.pdf sums it up better than I ever could and is well worth the read.

The WP Codex article at http://codex.wordpress.org/WordPress_Cookies briefly explains what’s going on (but that needs an update for newest versions). As you can see, it comes from a practice of having one cookie for the username and one for the password (which in WP’s case is double hashed). This has been changed, as you say, to one cookie containing all the login data and one for ‘logged_in’.

The logged_in cookie is for the front end of the site whereas the other is for the wp-admin area (you should be able to see this in the ‘domain’ part of the cookie). Which, I guess, is the ‘answer’ to your question. It’s not entirely necessary, but better for security (more is better, right? 🙂 ) and also probably slightly more efficient.