you buy these phones with a custom rom in mind, as the stock software is garbage anyway.
But this still gets me worried, does someone know if this would affect custom roms not based on the stock rom?
On a phone, a "ROM" is equivalent to the OS on a PC or the firmware on a router.
It's important to remember that something runs in a lower ring than these, namely the bootloader in a phone (the "firmware") which is equivalent to the BIOS in a PC or CFE on a router. These can be infected too and (unlike the ROM OS) are rarely changed by the enduser.
I find it hilarious that people who claim to be concerned about security will use Chinese company Kingroot to root their phones. And even use scripts to uninstall all of the Tencent AV and Purify crap-cleaners that it installs, then replace Kingroot with SuperSU. Even if a company is OK at first that doesn't mean they will always be so--the example set by China's estrong ES File Explorer should be a warning to all who granted it both storage and network access.