Seems like they can only patch the application remotely - and not the OS - at least not at the same time (patch OS - then after reboot - let the app look for updates. The time between could have been enough to compromise it again)
Alternatively, they can patch both but the malware achieves persistence in firmware. Which may not even be a sign of particular sophistication, depending on what protections Barracuda had in place.
Or it could be as simple as that the software update application on the device has been patched to re-add the malware after flashing the software update.
