If your disk encryption software gets exploited, then presumably it's a hop skip and a jump to make your way into the kernel, rendering recovering from tainted backups pointless. You'd have to start from scratch with new encryption software that you trust hasn't been exploited.

There's always a chain of trust that you have to follow down. It just gets harder to mess with the deeper you go. Not impossible, just more difficult and less likely to be entirely automated.