one problem with this approach can be seen by looking at the example of spam blacklists.
they start off with the best of intentions of only blocking the bad guys, but over time every one of them has started blocking more, and taken a more and more draconian definition of what they would block, until they become more of a liability than an advantage.
luckily anto-spam blacklists are opt-in (for the recievers) and so can mostly be worked around as they go bad.
I would expect the same type of pattern to show up with the 'whitehat botnets', they start off 'just' installing security updates, then move to installing newer versions (it's too hard to backport the security fixes, so move them to a version that has them), then more updates (hey, after all, just about any bug can be a security issue), then to removing software (after all, isn't it insane to allow someone to run telnet or ftp?), etc. each step of the way would cause more grief (starting with interrupted programs as they are restarted and going from there)
I don't believe that such an approach would be a 'whitehat' botnet. dark grey at best