The other problem is what a do-gooder hacker could do once they took over the botnet. The options are: brick the devices, making them completely unusable; change the default passwords, locking out even their legitimate owners; or try to fix their firmware to make them more resistant to future hack attempts, and also still perfectly functioning.
I say brick them. Perhaps when bad security starts costing ordinary people time and money, they'll take it more seriously.
If I understand the process correctly, most hacked IoT devices aren't firmware hacked, the exploits live in volatile memory while the device is powered. The exploit can't get into the firmware because that's much more difficult, and in many cases the firmware is read-only.
Power cycling the device will clear the hack, but it can be taken over again using the same exploit.
Bricking the device, or perhaps making the device access an online site intended to catch the owner's attention(*) seems like a reasonable solution when used in concert with all the other solutions - going after the perpetrators legally, going after the device manufacturers, changing net rules to disallow IP address spoofing, and so on.
(*) Lead to a website with a landing page alerting the owner of the issue, or (for cameras) upload video to the user's account alerting the owner to the issue, and so on.