On the surface it appears to be nothing more than a hassle for my department. To a point that's fine - that's what our department is paid to do. However there is an opportunity cost there - the time we spend cleaning up the mess is time we could have spent elsewhere. There's also cost to the students, staff and alumni involved in the attack (yes, we provide email to all three groups) - students and staff dislike the policy we have of making them prostrate themselves before our department to ask that they be let back in after falling victim to a phishing scheme while alumni actually have to be shuffled between departments trying to find the right people to talk to to get their account unlocked.
Further down the line we suffer some knock on effects. Government, in particular, has some stringent blacklists that we made following the recent spate of spam originating from our server. That's tough for a lot of our researchers who are working with the government on various and sundry projects. Or for students who are waiting to hear back on research grants. Business uses a lot of these lists too, but calling up a business and asking for them to correct their blacklist is fairly straightforward and is usually done within hours. The government is another matter altogether. It's usually faster to just wait until the ban expires rather than actually push to get removed.
So there are costs to phishing besides the nominal cost of bandwidth. And that's ignoring other phishing attacks I've seen scanning through some of our spam filter's archives. One that comes quickly to mind offers job opportunities to new graduates if they submit various pieces of person info (name, birth date, SIN number). Identity theft *is* common, and phishing is a common vector for identity theft.
As for the profitability I imagine it's a lot like most industries. A few guys with high grade organizations are raking it in, a few middle of the road companies are making enough to get by (usually taking contract work for the big guys) and the rest are lame duck orgs who think "get rich quick" and find out its not so.