Your first paragraph isn't quite right.
Modern hacks/cracks aren't a "do this and suddenly you are in" type deal.
It's a cascade chain of failures of non-malicious software.
Saying "don't have a virus" is absolutely correct, however that's not the concern here.
The concern is about the broadening of the attack surface.
A hacker gets minor access to a system. Leverages some CVE to get a bit more access, and keeps poking around and trying CVEs (known or unknown) until they get enough access to run this CVE.
And then they can escape the VM onto the host or other VMs on the same system, which might then give them access to a VM on another host, and they can escape that VM to get access to another VM, and on and on.
Very quickly, there is a fleet of VMs that are compromised. And the only sign of someone poking around is on the first VM the hacker broke into.
All other VMs would be accessed using trusted credentials.
ETA:
Infact, it doesn't even need to be a hacker.
It could be someone uploading a CI/CD task using their own account. It extracts all API keys, usernames and passwords it can find.
Suddenly, you have access to a whole bunch of repositories and APIs.
Then you can sneak in some malicious code to the git repo, and suddenly your malicious code is being shipped within legit software that gets properly signed and everything.
Yes.
And you know in Task Manager where it groups things by user and by system? System is just another user.
So, undetected access to all that
I'm going to guess they cut around the damaged area and weld a new plate into position.
They might weld backing plates across the join between the new plate and the existing hull, then fill the gap with more welding.
Similar to how you fix a hole in plasterboard. Just bigger, heavier, and weldier.
Certainly not an easy thing to do. There will be bulkheads in the inside, wiring and plumbing, all sorts of things.