For ASLR to be effective, it is required to have the application and all its libraries compiled with an ASLR enabling flag, such as -fstack-protector or -pie -fPIE for gcc compiler, which isn't always possible. If there is at least one module that doesn't support ASLR, it becomes possible for the attacker to find the required ROP gadgets there. This is especially true for tools that have lots of plugins written by third parties or applications that use lots of different libraries. While the kernel32.dll's ImageBase is still randomized (so that the attacker can't directly return to an API inside), it's easily accessible from the import table of the loaded non-ASLR module(s).