As often as not it is a judgement call of cost to fix vs. risk.
We have the situation where we have a pair of open resolvers whose addresses have been constant for the past 17 years. We have about a quarter million customers, some who have those addresses embedded into devices whose passwords have been long since forgotten.
The amount of support time needed to deal with these customers from putting in ACLs to the resolvers would run into the many many thousands of staff-hours.
As we were affected by a somewhat similar attack (a DNS amplification DDoS but with different mechanics, bouncing queries off of CPE with open forwarding resolvers) last year we drop TYPE=ANY queries (I've yet to see a legitimate production query of that type ever) and rate-limit queries but access lists on the servers would require such a huge expense that its not likely to happen any time soon.