There is no way for an ISP to differentiate between an infected router or IoT device and an infected PC due to the user's own neglegence.
If laws like the Cyber Recillience Act have been put into effect long enough for us to see a significant improvement in device security, then we can softly begin to rule out that cause and focus on the user.
We are not there yet, because (imo) devices are still not properly secured enough for us to go straight to blaming the user.
What leads you to believe this is a tech illiteracy issue? Do you believe that only consumer IoT devices are unwitting participants in DDoS attacks?