I've also wondered why ISPs don't do more to shut down customers that are participating in a DDOS (at least for DDOS attacks where the source IP isn't spoofed)? I would be very happy if my ISP were to let me know that something on my network is involved in an attack.
My ISP does that (XS4ALL, the Netherlands). Of course they can't know everything but if they receive abuse reports, notice your IP got blacklisted for spam or some honeypot network got a whiff of your IP address running malware variant XYZ, they put your IP address in quarantine (only 80 and 443 outgoing I think, or maybe only to the ISP's own website or something) and ask what's going on.
I can tell you they're a real pain to convince to unblock you when you are 17 and have been a bad netizen. Which is a good thing.
When it comes to ip spoofing based ddos attacks, the ISPs capable of tracking spoofed traffic on their network don't allow spoofed traffic. If they don't allow the spoofed traffic, you aren't participating in the DDoS.
Support costs for shutting down the average user are higher than the costs of bandwidth. Telling someone that their internet was shut off because their device was used in a botnet would lead to very long support calls and escalations.
I've also wondered why ISPs don't do more to shut down customers that are participating in a DDOS (at least for DDOS attacks where the source IP isn't spoofed)? I would be very happy if my ISP were to let me know that something on my network is involved in an attack.