Along with any official client that is slightly out of date. Twitter might be hesitant to alienate their users.

The app could also just download the latest extracted keys from your server when it experiences an authentication failure.

I guess twitter, and any other client would just say - key revoked, you need to update the app for it to work again. It's an endless game of cat and mouse.

Using the official key in an unofficial client sounds like a problem that will be solved with the legal system, not by increasing the burden on Twitter.

Maybe. Look at AIM and the free/shareware clients for a historical example.

But they can't change those keys without isolating every installation until it's updated, right?

Indeed. Constantly changing keys would cause as many problems for users of the official client as it would for unofficial clients.

Twitter could make some way for the official client to fetch new keys from a server without a binary update, but then they'd have to somehow protect that mechanism from third parties...

I suppose the next logical step would be to procedurally generate keys based on the date, and have only the algorithm (not the keys themselves) known to the official client. Not in any way insurmountable, but a little more difficult to crack.