The botnets seemed to have come to the conclusion that it is better to join the bitcoin network rather than sabotage it.
This depends on who runs the botnet.
And in different applications it depends on the motivation of the attacker. In a monetary application (Bitcoin) the attackers may be botnets which want to make some $$$ (or, rather, BBB); unless you are the FED or Visa, of course. If you look at directory applications, an attacker is not interested in double spending but might be interested in preventing a certain result or document from being stored in the system or to disrupt the operation of the system. Here, the motivation of an attacker is different, as well as the means he can use for an attack.
What would be the point of an attack even if it could be briefly successful before being discovered and blocked?
How do you block an attack? Reject blocks that have the "evil" bit set? (Actually there are ways, but they require a fundamental change in how branches are selected)
Working on a new application type, a "fundamental change" in how branches are selected is a real option. Therefore I would be very interested in learning about this, even if it is "just" a "raw" idea and not a source code patch.