Of course, such a device has to be under the control of the customer. Not the ISP.
This can easily be rolled into a little box that gets updates regularly from its maker, with the current markers for bot traffic, not unlike how we deal with malware on computers already. Just that this time the box is not prone to user idiocy, clicking "yeah, go on" whenever some trojan wants a new home.
So on the one hand, you say you want to put control into the hands of the user to avoid the ISPs. Then you follow that by saying you want to put control into the hands of the maker to avoid the idiocy of the users.
This doesn't quite make sense to me. Why should we assume the makers of an anti-botnet box are any better than ISPs?