“A degree in economics is not needed to know that if the damages of something is causing x2 the amount that can be spent to avoid the damages - then half of the amount should be spent.”
The questions are: damages caused to whom and amount to be spent by whom (& who is going to make them)? If it were a simple case of weighing the aggregate costs of attacks against the aggregate costs of implementation of mitigation, then we would have seen universal implementation of BCP38[1] two decades ago.
Unfortunately, we don’t live in a child’s mind where things are simple. In reality the parties incurring the costs of attacks are not the same as those that aren’t implementing the solutions to prevent them from occurring.
If your neighbor has a credit card debt of $20k on which he’s paying 18% interest, and you have savings of $20k on which you are receiving 2% interest, then with your logic you should immediately pay off your neighbors’ debt, because that’d be cheaper for you both, collectively.
But of obviously you wouldn’t do this, because you’re NOT a collective (your neighbors’ wallet/bank account and yours are not the same) and thus you both need to be considered separately. You don’t need a degree in economics to realise this, just a shred of common sense suffices.
If every network configured their own equipment as well as they wish others would, there wouldn’t be a problem in the first place. Fact is, they won’t. And getting someone that has already spent time and/or money on configuring their own equipment correctly to pay for the privilege of not getting attacked by the equipment of someone else that is either too lazy or cheap to do so is going to be a tall order.