The botnet would need many years for reaching a 50% probability of key collision.
Many millions of years.
It's not impossible for a collision to be found, but there's not enough profit in it. Even if someone can find one address every hundred million years, all they get to spend is the balance of that one address. This equates to an averaged cost of fraud of way less than a millionth of a cent per transaction.
It's not worth worrying about, when any simple trojan or social engineering attack is sure to net a few wallets.