They clearly didn't want to leave a system unbootable because a certificate expired. In which case you would have no opportunity to update the certificate because you can't boot the system anymore.

They could've used a time stamping service to include a signed timestamp in the binary to compare the expiry date against, but that still leaves the system unbootable after the time stamping certificate expires in the far future.

Besides, a hacking group powerful enough to steal Microsoft's Secure Boot private key will likely be able to steal a timestamping private key from a certificate authority as well.