You’re right, they just fall for installing updates or CLI tools which install compromised dependencies and run wild on a rooted system before getting caught 24 hours later.

on their phones?

also, 'rooted' means you have root access, not that you run everything as root.