The mount count can give you a good idea of how many times the system has been rebooted. It's probably a better way of figuring that out than looking at the output of 'last reboot'.
Thing is that, in either case, the count can get reset, so you need a way of determining
when that has happened.
For the mount count of / , it gets reset whenever you do an fsck (usually at boot time) When that happens, then you know that the system has been rebooted 'at least once' since the last time you looked. (the current mount count would be the probable count
of the number of times the system has been rebooted). Note that, if someone does, for example, a CDROM boot and mounts the normal root filesystem, there would be no real way to distinguish that from a boot. Similarly, if someone
does multiple such mounts and then does an FSCK, you would see that as only one 'boot'.
wtmp (used for 'last') is good as far as it goes, but the file is cycled from time to time, so you need to keep track of the most recent boot time the last time you checked, and
only count more recent boots. If someone gains root access, they can mess with the file, but if an attacker gets root access they can change pretty much anything that you're dependant on, anyways.. (i.e. you're hooped at that point if you've got a malicious root process).