Can't they use dlopen to find libc?

dlopen is a dynamically linked function, so they would have to find that too. Its location will also be randomized.

Note we are talking about exploit code here, i.e. you have just exploited a buffer overflow, not ELF code loaded in a well behaved fashion.

There are easier ways to leak libc, such as reading from the stack or the GOT, but these would require more work than a simple ROP chain.