Here’s a paper about Sony and the Rootkit:

While Sony BMG’s customers first became aware of the dangers posed by the rootkit through media reports following Russinovich’s October 31 announcement, the company was on notice that its product contained a rootkit, at the very least, four weeks earlier.12 Finnish anti-virus software developer F-Secure contacted Sony BMG on October 4, 2005, alerting it to the presence of the rootkit.13 Of course, First4Internet, as the developer that chose to incorporate the rootkit into its design, necessarily knew of its presence from the outset.

— THE MAGNIFICENCE OF THE DISASTER: RECONSTRUCTING THE SONY BMG ROOTKIT INCIDENT, By Deirdre K. Mulligan & Aaron K. Perzanowski

Yet Sony apparently thought that they could still sneak a rootkit onto CDs its customers paid for. The customers knew better, because Amazon reviews told them, and sales CDs plumetted as soon as rootkit-infested versions were issued.

This maybe illustrates three points: