It mainly helps with stuff like enforcing modern tls + ciphers and various other changes that occur naturally in the ecosystem over time.
You are not wrong about the malware part though. Said undetected malware would continue to be undetected and continue to expose the private bits no matter how (in)frequently you rotate.
>It mainly helps with stuff like enforcing modern tls + ciphers and various other changes that occur naturally in the ecosystem over time.
???
why would you need to issue new certificates for "enforcing modern tls + ciphers and various other changes"? There's nothing preventing you from using a newly minted letsencrypt certificate with sslv3, for instance.
Sure, I misspoke. It's more about the contents of the cert itself (signing keys, deprecation of CN field, etc) than the hosting web server configuration.
Obviously, one can actively choose to go out of their way and do something bone-headed - nothing can stop that.
