Nothing easy about using the civil courts, especially if you're a small business.
That's wrong, lots of small businesses file civil claims through the courts frequently and often. But the bigger point is that small companies aren't the target - they don't have the money for ransom demands, and are unlikely to be important enough to be a target. Nobody is going to deploy a huge IoT botnet against the local dry cleaners as a botnet has a finite lifetime and diminishing power over time as machines get pulled or patched.
This target was DynDNS, a large company with relatively deep pockets, and DDoS attacks have been historically against targets like Ladbrokes on a big race day. They have the finances to seek legal action and the interest to potentially do so.
Companies change or die when an external force comes at them. Usually costs. The cost of a legal battle and damages on the horizon is likely to be enough to deal with many companies current non-existent long term support plans for these tasty little attack vectors.
This is the way that corporate negligence (which is what this would fall under potentially) has been handled for many years. it allows for the companies and the market to come up with a number of interesting solutions rather than having one forced on them, which could potentially later become universally defeated.
To put it another way, we have airbags in cars not because the law requires them, but because the market and car manufacturers have deemed them to reduce risk and increase profits - we need to encourage similar innovation rather than forcing a monolithic solution such as filtering at ISP level or kill chips.
Chris