Scanners catch most of these within hours. The cooldown just buys them time to run, not waiting for some other dev to get hit first.

I think the idea is that security scanners ran by companies like Wiz and Aquasec etc will pick this up in that timeframe, not that you sit around and wait for others to get compromised.

I kind of agree, but presumably this would happen more among people maintaining security-critical projects. In that case it'd be a net positive for other projects to get infected first, since if they aren't delaying package updates by 24 hours then security probably isn't quite as important. Which also makes it better in general because hackers will be less incentivized to write viruses if all the really juicy targets will only download them after they've gone undetected for e.g. 7 days.

That happens all the time in tech. Some people test Release Candidates. Most don't. Some people upgrade to x.0 software. Most wait for the x.1 release.

The bigger danger is malware writers adding sleep(7days). But if there is a wide variety of cool-down periods (3 days, 7 days, 30 days) this will not work very well.