Regarding your first statement, while it's technically correct that map data varies a lot more than timings, they are already doing it. They have released heatmaps of where is most visited in Tibia and it's quite clear that they had an interest in this sort of statistical analysis. If they aren't using it to detect bots, I would be hugely surprised.
Science papers are great, as is research, but it doesn't always play out in the real world. In most games, it's very difficult to track coordinates of players because they are decimal and nowhere near as binary as Tibia. In Tibia there is a fixed number of places a player can be and directions they can face, this makes the game very different from the majority of subjects (most likely the paper was written about World of Warcraft or something, much more popular game). Bots do stick to rules, but they do also have random behaviours.
Spam rate is how often bot will press the button when he needs to. For example, if you set it to 30ms and your ping is 60ms, he might send key 2x because first one wasn't recognised before spamrate timed out. It's reset each time the spell is cast.
WindBot is already very random by comparison to XenoBot. XenoBot would be the easiest to detect in my experience because it is very rigid. The scripting interface is bad and this makes players rely on the same generic functionality a lot more, which will increase the probability of CIP finding patterns in players using it. WindBot, on the other hand, has a variety of ways to do everything, all of which can be hugely customised by editing Lua. In reality, it depends on how DarkstaR implemented things in XenoBot, but I don't feel he would've gone to the effort to make everything as random as it could be with WindBot.
Finally, true random number generators are impossible in computer science. It's impossible to design something to be random. You can design it to select a number which you didn't choose in advance, but it will be preset by the state of the machine at first boot. If you were to re-build the same machine, in the same way again, it will result in the same random numbers coming out thus isn't truly random. Psuedorandom is all we have, but it's good enough. If you use a good enough seed, it's near impossible to work out what it is unless you know how it's implemented and every time it's used.