It used to be standard operating practice as an attacker to close the holes through which you yourself gained access to prevent others from taking your prize.

Ironically the most secure and cheapest thing a company could do was get compromised by a competent attacker who only wanted to launder small amounts of data or CPU cycles through your network, and in exchange keeps your servers all patched and up to date for you to keep out other attackers.