Zombies are a big problem, but ISPs are in a unique position to fix the problem and should be motivated to do their part. ISPs can detect when one of its customers' PCs starts sending spam, either by outbound content control or by spotting an unusual spike in volume. ISPs may even be able to detect the earlier signs of infection, such as connection to an IRC channel used to control the bots.
When an ISP detects a zombie, it should immediately prevent that subscriber from sending email. It should make contact with affected subscribers and help them clean up their machines. If necessary, ISPs could cut off all Internet access for those subscribers, moving them into a Web "walled garden" -- this would force subscribers to see a web page alerting them to the problem and giving instructions on how to clean up their PC.
ISPs should be proactive in quickly fixing such problems. ISPs may need to modify their Terms Of Service, to contractually allow them to take these actions -- but take them they should, for the sake of their business.
If ISPs don't fix such problems, their reputation and the reputation of their customers may be damaged. The anti-spam industry has woken up to the fact that reputation is a good way to filter incoming SMTP connections, without the expense of content scanning. As this view becomes more prevalent, ISP customers won't want to be associated with an ISP that takes a cavalier attitude to their reputation and that of their customers.