If you look at Monero pools you'll see lots of miners with hashrates equivalent to 20,000 CPU cores and more and it wouldn't be profitable for people to buy or rent that many CPU cores.
Can you please show two or three example, where this could/was be seen?
And please define "lots" so we understand, what you mean.
Check the stats of large Monero pools like this releativelly small Monero pool for example -
https://minergate.com - One user with almost 70kH/s and ten users all above 6kH/s. While large botnets don't even need to use pools as they can solo mine on each node in the botnet while the sum of their work would be enough to solo mine easily. As ten-thousand nodes hashing at 10H/s (say on a CPU's that could max 100H/s on average if dedicated) will find the same amount of blocks as one node hashing at 100kH/s.
What is your best estimate for the percentage of work being done by botnets over at Monero?
It sounds like there is potentially ~140 kH/s at minergate. Lets multiply that by 10 to account for other pools and solo miners, which gives about 1.4 MH/s. The network hash rate is about 26 MH/s, so this comes out to about 5% of the total work being done.
Anything that is less than 10% wouldn't bother me at all. Given that there are probably several independent botnets operating, my guess is that Monero is probably very decentralized. In the worst case, you might be able to make the argument that botnets are about as "evil" as asics (in terms of centralization).