ISPs too cheap to enforce security
Concerning the legality of ISPs providing security services to customers whose computers have been hacked and are being used as zombies.
1. If your computer is hacked, and your computer is being used to commit crimes, and anything you do on your computer is subect to surveillance by hackers, what sort of damages could you seek from an ISP who disconnected you from the internet?
In fact, if you were unaware of the problem, or if you didn't know how to clean your computer, your ISP would be preventing further damage to your interests by disconnecting you from the internet, because the ISP is preventing the hacker from accessing your computer.
(Of course good business practices mean working with customers to keep them happy. An ISP that wants to stay in business will use one of many methods to attempt to notify a customer of the problem and direct them to help to clean the computer.)
2. If a situation arises where the terms of a contract are forcing one party to commit or aid in the commission of a crime, that part of the agreement is generally void under common law.
Once an ISP is informed that a customer computer is likely a zombie computer being used in the commission of a crime, an ISP does not have to worry about the TOS getting in the way of fighting crime. (Although good customer relations means keeping the TOS up-to-date and understandable for consumers).
3. The question is the will of certain ISPs to do their part to fight crime.
Many ISPs still see customer and internet security as an unnecessary expense. They care about their internal security, and they care about their short term profits.
These (mostly small) ISPs have been putting people off with the claim that, "as common carriers we are not responsible for what goes on in our network without our knowledge". They try hard to avoid knowing what goes on by ignoring security complaints from others.
Hence, the cost of their dereliction of duty is not levied against them, and it never enters onto their balance sheet.
Some small ISPs even offload their email services to others. For them, the only expense of not providing security is a bit of additional local network traffic. Balance that against the costs of providing customer education, customer support, distributing security software free or at a nominal charge, and you can see that for these small carriers, pretending ignorance of problems is the cheaper solution.
Basically certain ISPs are failing to protect the common good of internet users and ISPs.
These ISPs are going to continue to fail to provide security services until existing laws are enforced, new laws are created and enforced, or the use of civil action against negligent ISPs becomes more common.