One of the problems on the 'net right now (and in a lot of areas that aren't the 'net, for that matter) revolves around responsibility. If you leave your computer exploitable, and someone gets in and uses it to DDOS someone, are you really at fault? After all, you didn't DDOS them - but you *did* leave it open. And damage was done thanks to your own negligance.
It seems weird to place all the responsibility on the people who just aren't very knowledgable. But it also seems weird to let them completely off the hook. So how about a fine? $50-$100 per event - so if you leave your computer exploited, and someone keeps DDOSing people through it, you'll quickly owe quite a lot of money. No jail time, just monetary penalties.
Use a larger fine for companies. Or maybe just base the fine on the amount of bandwidth you have available. (There's an interesting thought . . . "How much bandwidth do you want? More bandwidth will provide for a smoother browsing experience, but leave you liable to heavier fines if your computer is exploited.")
Of course, another question becomes "what about Microsoft" - the fact is that Windows isn't terribly secure. But I don't think anything needs to be done about that. They're not forcing people to buy Windows (well, not anymore) - Linux is available, and people can use it if they wish. I imagine there would quickly be a market for *good* intrusion detection packages or security packages, and that's fine too.
I keep thinking there must be a horrible flaw here, but I'm having trouble finding it.