You are right, if your server is already infected, probably nothing can help.
However, the advantage in external scanning is that this service should find the vulnerability before the first attacker finds it.
And even if there was an attacker around, in many cases, after a break-in the attackers leave a listening service that can be detected by an external scanner. The good scanners are also designed to find backdoors, not only sql injection or cross site scripting holes.
Im sure you have seen houses secured with a big fence + 2 locks on the door + alarm system + a scary dog running in the back yard...
An external vulnerability scanner is definately not the only thing you should do to make your system secure, but it is an important part of your security protection suit.