Since every bitcoin transaction is in public, why don't we build a public blacklist for these addresses with stolen coins (and all addresses these bitcoins further transferred to)? such that the hackers cannot get too much from their actions
The moment we start maintaining a list of blacklisted/tainted/marked coins that are not accepted everywhere is when bitcoin will start failing. The list will start off innocent enough but when(not if) it starts being abused, it'll be all over. It'll start with blatant thefts like this, but the blacklist-maintainers, whoever they are, will eventually attract the attention of the law enforcement. The definition of theft will expand and expand. Eventually these blacklist-maintainers and/or GOV will decide which coins are valid are which are not. Coins will be seized just because of some random political agenda and bitcoin will just be a mess. The only way to stay off the blacklist will be to register with some authority and basically bitcoin will be no different from a regular bank. Then everyone will abandon it and go to Litecoin.
Seriously, the moment I hear about a blacklist of coins on bitcoin is the same day I buy $5,000USD of Litecoin. I'll be a millionaire within 8 months.
if you could get such a thing in place, couldn't everyone just roll back transactions?
I feel like having such a system in place would probably end up breaking a lot of the legitimacy (since you'd need over half of miners to agree to it, in which case some sort of "central" entity would exist)
You could to a point, but you would need a lot of mining power and the ability to act quickly.
BIPS didn't announce that they'd been compromised until over a week since the funds were sent out, so it's completely impossible at this point. If you wanted to get a transaction with one confirmation reversed, you would need to convince the two largest pools (ghash.io and btcguild) to mine a fork that doesn't contain your blacklisted transaction in under 10 minutes, and even then they'd create a very noticeable reorganisation. You'd also then have to race to get your funds out, as you know your keys have been compromised.
