The NYT ran estimates that more than 260 million people use RSA SecureID tokens, though that seems a high estimate for IDs that are in current, regular use.
Compared to that, replacing 45,000 that were directly affected is a pretty weak response.
With as much insider knowledge as they must have gained from the RSA breach, attackers with the kind of resources available to a foreign-national intelligence agency could do more than just clone a few electronic tokens.
It could reverse-engineer SecureID's lower-level code and build tools that would let them crack sites whose RSA tokens and security weren't part of the loot taken in March.
Replacing a few directly compromised IDs just isn't going to make enough of a difference.