I toyed with a similar idea that would be limited to subnets or non-routable IP space, and open-source/community-driven, but I had to take it down almost immediately due to bad press/backlash. There's really no way to address this without government regulation on ISP's to assume the external cost of botnets coming from devices on their networks. And the only way to justify that is to modify our computer crime laws to allow them to scan, patch, maybe even brick (or just turn off the customer's Internet and notify them) when vulnerable devices are found.