I stayed away from the ISP example since you generally have a capped level of bandwidth (within some bounds). Many ISPs will notify when you exceed, for example, download limits and they commonly provide free AV and anti-malware.

G

You used credit card fraud detection as an analogy for the case of toll fraud prevention. Wouldn’t enterprise data network security be a better analogy to answering the question of who should bear responsibiltiy/costs of preventing toll fraud?

Enterprises generally do not rely on their Internet service providers to bear the costs of securing their data networks from attacks via the public Internet. Why should connections to the public phone network be treated differently?