What prevents the malicious piece of a package from just staying dormant for the cooldown period so nobody notices? What happens if everyone waits for a week to cool down, so the exact same problem happens, only a week later?

This may work in the case the maintainer becomes aware of the compromised account/credentials/package before the cooldown period, otherwise if it's about vendors and "other people", it's a roll of the dice. They may have longer cooldown periods than you.

Then we absolutely need an override for the cooldown period when we have to pull a zero-day patch the moment it's released.

The only reason cooldown periods haven't been exploited it's because they're not widely utilized. If they become mainstream it'll take a couple weeks to be rendered useless (yes this last part is 100% futurology)