But the problem is that there is often a major count of connections from legitimate workers.
Connections per worker by itself can't be a useful metric. I think I have about 45 workers connected to you on two accounts spread across 2 IP addresses (one for my colo, one for my kitchen).
Trying to imagine what botnet scenarios are likely and how to fingerprint them...
1. CPU zombie miners, home computers: <= 3 CPU-level workers per IP address, many IP addresses, all on a single worker account
2. CPU zombies, corporate environment: any number of CPU-level workers from a single IP address, all on a single worker account
3. GPU zombies, home: <= 4 GPU-level workers per IP address, many IP addresses, all on a single worker account
4. GPU zombies, corporate: any number of GPU-level workers from a single IP address, all on a single worker account
All but #4 are probably reasonable rules for identifying botnet operators. #4 doesn't work, though, since a botnet infecting a single corporation with mining-capable GPUs is going to appear similar to a large-scale mining operation behind NAT.
#1 and #3 could be gamed by the botnet operator setting up a proxy so that the workers all seem to be in the same place. #1 then looks like #2 (still bannable) and #3 looks like #4 (confusion!).
Additionally, the operator who sets up many separate accounts with the pools they use could evade this kind of heuristic. Perhaps it is to combat such things that I have seen some pools requiring a CAPTCHA solve to create a new worker, even for a logged-in user.