Not really, they are *all* part of the problem, including all of the people pointing fingers - no one is perfect at security, nor will anyone they ever be if you are realistic, although I do agree that lax end-user ISPs are playing a huge part in this particular instance with Mirai and its derivatives - e.g. TalkTalk is still a huge source of the Mirai traffic being dropped by my firewall, whereas Eircom and Deutsche Telekom are now dropping off fast. The security principles of defense in depth, while normally applied by an individual organization, can be applied on the large scale as well, and that's what's ultimately needed here - the issue is coercing people who are able to do something but can't be bothered to actually do it, and that generally means some form of legislation. *Everyone*, regardless of whether they are a device maker (of IoT devices and routers), end user, service provider, or backbone carrier, needs to assume that their devices and/or users are dumb, and put appropriate security and mitigation measures in place to the best of their ability. You're never going to completely fix the problem, so the best you can do is to try as hard as you can to mitigate against the damage with the resources you have, and hopefully that will be enough to reduce the problem to a mere nuisance.