You can't patch a compromised system back to non-compromised status. The rootkit can just lie to you that it has installed the update. It can lie to you about the kernel version in boots there-after.
Once your box is compromised, you're hosed.
You're deluding yourself that Secure Boot gives you the equivalent of "read-only media, except to the software I trust", because the base OS is simply *way* too large to trust to be secure against exploits. At least, for a general purpose, generally programmable OS.
What you /really/ want is a "Secure Layer" between the software you don't trust (i.e. pretty much all software), and the software you have no choice but to trust (i.e. the base OS, which is on your side, but is too large and has to do too much low-level, fiddly work to be securable). Secure Boot doesn't give you that layer. The claimed security benefits are illusory.