In the case of a worm such as SQL Slammer or MSBlast that uses specific ports to propagate, I think that the ISP should be prepared to block those ports if necessary. Perhaps blocking them proactively is a little extreme, but once the worm hits and it is impacting the network already the loss of performance from filtering the ports would be preferable to the loss of the entire network from the overwhelming amount of traffic.
Lastly, I don’t see why ISP’s can’t implement some sort of honeypot or IDS (Intrusion Detection System) on their network to monitor and log infected systems. Rather than trying to monitor every packet that flows through the network and slow the whole thing down they can strategically place systems throughout the network and let the infected traffic come to them. Once they log the IP addresses of the systems that are propagating the malicious code on their networks they can take steps to disconnect those customers and contact them to let them know they are infected. If they wanted to really provide customer service they could also walk the user through the steps necessary to clean and patch the system so they can safely get back online.
It is truly difficult to point a finger at one entity and determine whose “culpa” the problem really is. The answer seems to be “all of the above”. The vendors need to do more to write more secure, less vulnerable products to begin with. The users need to do more to patch and protect their systems to keep from becoming a victim and propagating malicious code on to others. The ISP’s need to accept more responsibility for protecting their networks and their customers from the few who do become infected. Maybe if all parties would do just a little more to protect their piece of the problem the whole Internet would benefit and be safer from threats such as SQL Slammer and MSBlast.