Stupid users the real problem..,
The real problem is that the whole internet model was built on trust, and while this helped to facilitate its explosive growth 15 years ago, it became mainstream enough for 'normal' (ie, tech ignorant) people to use, and exploitable toeholds appeared (largely though MS ignorance and naivety). It was not nipped in the bud then as it should have been, and now we have a raging bot epidemic beyond anyone's ability to disinfect.
The result is that stupid users have the freedom to install stupid stuff on their machines and give the criminals their machines on a plate too easily.
People should have to right to install stupid stuff if they really want to, but education of them (exams?) and rapid response of ISPs as well as improved OS security models is a way to go.
Any non-windows OS is no different, anyone could install a malware app on Mac or Linux too, if the user agreed, thinking that they need it. Just that in general Linux users are much more in tune with their systems than average, and can recognize malware if they come across any. Teaching new Linux users the importance of strong passwords is also recommended. I get many ssh brute force attacks from badly configured linux systems that have been compromised.
It would not hurt if ISPs banned port 25 and 587 and opened on request for their users, if a user doesn't know what port 25 is, then they don't need it!
ISPs operate on such rock bottom margins by overcompeting with each other that they don't have budgets to manage security, and having a bot infested network doesn't not significantly affect their bottom lines at present.
If big web content providers, news sites, facebook et al got ballsy and started to ban bot-infested ISPs with poor reputations then something would be done bloody quickly, as the users would complain and migrate to other providers instead, taking their infected machines with them, and hopefully get some education in keeping their machines clean.
AFAIK there are no laws in the free world that require ISPs to obey a set of simple guidelines, provide abuse reporting addresses and act on them, nor even the whois registry to require an ISP to provide such information.
Something should be done!