That would just be a target list for hackers. Most of the devices that take part are going to be in homes or SMBs with old firmware that’s subject to known vulnerabilities. They will give the list to AS operators who request the offending IPs (presumably restricted to the AS ranges) but dropping it out on the public internet just invites trouble.

Not sure about CF but a lot of corps report to https://www.abuseipdb.com. So it is not hard to get the IPs of attackers.

they do for ISPs who wants to do it. this is referred in the "Free botnet threat feed" of the article.

They could but it's whack-a-mole and most ISPs just route abuse reports straight to /dev/null.

IMHO, ISPs caught in that act should get yanked off the internet.