There might be a good reason for rollbacks and even wipes. Here’s the relevant part of the patch announcement:
“Code injection” is a programming term that means that a user somehow managed to hand the system some data in such a way that the system was fooled into executing it as code, i.e. program instructions.
What could be happening in this case is that the hackers modified one or more data files on the affected servers in a way that would give them admin powers or something along those lines. Normally, a security hotfix would patch the code in such a way that those data file changes don’t lead to untrusted code execution, but I’m not sure what Funcom did exactly, so they might have their reasons to want to get rid of those data files.
If that happens to be the case, the only thing they can do is either wipe the server or roll it back to where the files were clean. And if the backups don’t go that far back, then they have to wipe the server.
To be perfectly clear, they shouldn’t need to do that, but maybe they did it like that because they had no time to put out a better fix (or for some other reason I’m not privy to).