Sorry, that's inaccurate, we do not set disable_functions by default, so it is quite easy to create a cron job from php unless you're using php-fpm in chroot mode (which was not the case). So, simply having a lot of compromised websites at the same time is indeed a consideration to check. What were the filenames of the cronjobs?
