A compromised account can still transact only within the KYC’d subset of accounts. So in fact it doesn’t matter when you blacklist them (or the addresses to which they sent the compromised coins).
KYC would be probably pointless without some sort of rate limit which prohibits draining funds like that. Particularly for large amounts, for which this “theft protection” is the most relevant.
Though where would you cash out those stolen funds if your trace is fully KYC’d as can only send them to KYC’d accounts and exchanges?
Again, this assumes there’s no rate limiting for large amounts.
Key management is hard. Hot-key management is harder. Even more so if you care about uptime and throughput.
But they also haven’t rolled out CBDCs yet…