Yes, the hash of the compromised file would be changed to Not Safe, but since the analysis result is stored in the database for quick lookups, this would still be an issue. The only way to fix this issue, for any security product (traditional signatures, next-gen, reputation based), is to reanalyze the file, manually or automatically. As an example, when you visit virustotal.com to upload files, it does not analyze the file from scratch each and every time. It will do a quick database lookup of the previous result. You can click the Reanalyze File button at the top right to manually reanalyze the file.
So we basically have a choice… we can either have quick database lookups, or we can upload and analyze the file each and every time it is encountered on an endpoint. Obviously, uploading and analyzing the file each and every time would never work, so we have to find the right balance. WLC is set to automatically reanalyze the file if the result is older than 1 week, which is probably about the right balance.
Having said that, supply chain attacks are quite rare. I mean, there are up to 1 million new malware files each day, and you and I have only heard of 3-4 supply chain attacks ever.