If an attacker has access to the private key, they could use the Host-key rotation feature to migrate you to an attacker-controlled key instead, as the old key is trusted. So, GitHub needs everyone to forcibly untrust the old (exposed) key.
The problem with rotating this particular private key is that it's incredibly disruptive. Everyone who uses GH will see a big scary message from ssh saying the host key changed and something malicious might be going on. A majority of those people probably won't have seen a blog post announcing the change beforehand.
Anyone who's baked the host key in the known_hosts file that gets shipped on their CI systems would start to see jobs failing, and have to manually fix it up with the new host key.
These things are just annoying enough that I think it's perfectly understandable that GH doesn't want to regularly rotate this private key.
Host-key rotation would enable the attacker to continue, but the attacker could be detected simply by diligent people monitoring the github key they use.
The current rotation allows anyone to try to fish the lazy users (like me probably) who will just trust on first use. Probably a bigger risk than key compromise, since they have logs.
It could be a better idea to use Host-key rotation, despite it making the life of a key-thief a bit easier. Just because it exposes people less against opportunistic impersonators.
1. IIRC UpdateHostKeys does not remove the old key, so it would still be there, lurking (I haven't checked the code).
2. It was only added in OpenSSH 6.8, so it missed Ubuntu 14.04 release, and only really turned up in 16.04 LTS that way, plenty of old systems it wouldn't work on.
As other posters noted, a bad actor could rotate the key to their chosen keys just as easily as GitHub could cause the rotation.