They then just wait until the next exploit comes along.

And within hours (or minutes) of the new exploit becoming public, they swoop, own their target site and rootkit it.

Does anyone else think this is true?

And if it is true, then has half the Internet been rootkitted long before the sites owner could update SSL?

AND......so you updated your website - good on you. Do you think you had already been rootkitted?