It doesn't need to be a lot - just replaced in the same cadence as the latency from initial broadcast to key revocation. Even if it's all in-house in Netflix and the watermark sufficient to identify the specific device key not all releases are made instantly after being made available on the platform, it still has to be downloaded, verified, watermark extracted before the key can be revoked.

If that's just a total of a single day, 365 cheap netflix devices per year certainly isn't out of the question, especially with the number of people involved in the many ripping groups.