I think the incentives do not align perfectly with that strategy if there are multiple possible attackers. First, another quantum hacker try to hack the same keys but with the alternative strategy to empty the addresses as early as possible. The "silent" hacker's effort would be then in vain. Of course he could monitor the mempool, but his double spend attacks will have a success rate of less then 1, so there will be always effort wasted.

Second, if the "silent" hacker manages really to hack a large number of keys it is very obvious that there was an attack and the price would probably tank, leaving the hacker with less ROI. In contrast, if an attacker targets old P2PK coins then it's possible that a few of these attacks will have no impact in the price because nobody knows there was an attack. And if someone claims coins were stolen, there's always the possibility they were stolen with other techniques, obtaining private keys, exploiting bad RNG etc.

Anyway, having re-used cold storage addresses should be a no-go even in 2025 already. An interesting measure would be to convince all wallet programmers to implement massive warnings for address re-usage, mentioning the possible quantum threat.