Seems overblown. They said crypto, gaming, gambling, advertising, and marketing sites were the biggest targets. Not exactly critical stuff.
As far as botnets... Let orgs or agencies either patch the devices or disconnect them. Seems like there should be an agency that scans for problematic devices and takes action automatically.
Good news, there are agencies which looks for these vulnerabilities and report the issues to manufacturers! But, usually the person who makes the botnet patches the vuln. after they infect the device so no one else can take control of it. So, unless the owner of the device apart of the botnet updates software after a fix is implemented and factory resets, nothing can be done to 'remove' the device from the botnet.
Not exactly true. Upstream could just disconnect the user for example at the ISP. One could also just disconnect whole countries if needed. We just do not take these these things seriously.
Similarly white hats could be scanning for vunerabilities and patching them when found before they could be exploited.
Similarly one could require all internet facing stuff to have an auto update feature.
It's a sad development, but inevitable. Eventually you can't discern malicious traffic and real user traffic, I'm pretty curious as to what will happen then