I'll tell you what I've advocated for a LONG time, but no ISP wants to implement and it would be:

a) cheap,
b) easy, no new hardware would be needed, only current access-list filtering in cisco or Juniper routers would be needed
c) and hammer spam as well as malware and viruses:

Any packet that has a "from" IP address that isn't valid in the subnet mask for the networks assigned to the source IP net, or is a private IP address, gets dropped.

Most of the spam and DDoS attacks have bogus source IP addresses. If ISP's would drop those packets, it would certainly cut down on lots of attacks.

Next thing that could be done with existing IDS systems: Blackballing. Once the amount of spam or attacks coming from within a subnet mask or ISP reach a certain level, co-operating ISP operators could effectively black-ball the source address blocks through a BGP routing update. It would be up to the black-balled ISP operator to find and remove the source of the offending traffic, which could be as simple as dropping that customer's interface off-line.

There are ways to handle the crap that's out there, no additional hardware or software would be necessary. No one seems to want to do it, however.