This already happens in the Netherlands, your router will be put in quarantine mode and you have to prove that the "virus" is gone

This happened to me, at the time I thought it was strange but seeing this event happen it makes a lot more sense now

What percentage of the population would have any idea how to do this? How long does it take to go through the process? Is your work, education, and safety just put on pause during this phase?

was router not provided by your own isp?

In Australia you can byo router-modem which are generally better than those provided by isp.

The economic costs of that fall on the (residential) ISPs and they aren't really incurring very much cost in additional bandwidth from the outgoing attacks. In most cases it will be 0. It's not 'good', as it could affect quality to a certain extent for other subscribers and it's theoretically possible it could result in a slightly higher transit bill, but ultimately it's just not really a problem for them.

Setting up the infrastructure to email customers and tell them they've got an infected device is just going to cause the subscriber to: A) Call customer support and tie up an agent who can't really tell them much - you're also going to have to train all your CS agents on these letters and what they mean. B) Complain on faceybook/Churn off your network. or C) They'll ignore it

About one in a million will fix the issue themselves.

This is why we need an external rogue actor to send those notification emails without ISP consent.

Some of these devices are controlled by the ISP. The TMobile 5G routers for example are pretty much black box devices controlled by TMobile. The home owner can't fix the device and has very limited access (via a mobile app) to 'manage' the device.

I don't think there's a strong overlap between ISP-controlled black boxes and compromised botnet nodes. However, if there is, that just means that the ISPs should be partially held liable.

This has always been the elephant in the room. imho, US intelligence don't want this so congress won't do it. Intelligence controls or buys these botnets when they need them, so regulation here is always impossible to push, but in other countries is more common.

Hmm is there a haveibeenpwned for IP addresses found in botnets? Perhaps correlated at the time of known incidents.

I would like to know if I'm serving a rogue machine and not been paying attention.

That industry group would need to include the big cloud providers, and they also doesn't want to shut of abusive traffic.

Because then the ISPs have to provide support on how to secure those devices.

I will say most of the time the ISPs themselves provide the routers at residential homes

Sure, but if they now go out and say do this and that to secure them a big portion of the users will have support issues. They don't understand the instruction, the pressed the wrong button, they entered the wrong value, all sorts of things could go wrong and the ISP has to dedicate resources in fixing it while they don't gain anything in return.

Most routers shipped by ISPs have remote management enabled, they can be reconfigured by the ISP themselves without having to involve the end user in the process.