Fixing just a few per hotel (perhaps 1 per floor), with a tripwire device that reports attempts at exploitation, might be possible at 1/100th the cost. (Most locks aren't even touched.)
Still, anyone exploiting the vulnerability at scale would soon trigger a tripwire. At the very least that lets the hotel know exploitation has begun, and it might help apprehend the burglars almost instantly.
I doubt crooks who think they have a master key will stop at just a few rooms. And once the use of the tripwires to catch a crook is reported, alongside the stories of the vulnerability itself, the expected return to this hack drops way, way down. Even criminals respond to relative risk/reward.