I'm sorry, but if you have the wherewithal to commandeer 600,000 devices well enough to permanantly brick them, you have the wherewithal to commandeer them and load a patched version of software on them closing up the vulnerability.
If there's no fixed version of software available for the platform, then you cannot fault the ISP for not patching the devices.
If there IS a fixed version of the software available, this person should have used the botnet c2 to distribute and apply the fixed firmware, thus solving the problem while not killing connectivity for innocent end users.
The decision to take destructive action is indefensible. The right choice should been to update the devices with patched software if it was available, and if it wasn't, to leave them alone and instead focus on trying to develop a fixed version of software.
Now, if they were simply inept, and were trying to load fixed software onto the devices but failed to test their process adequately first, then at least their heart was in the right place, even if their understanding of how to do large-scale firmware upgrades safely wasn't.
But that's certainly not what that article would lead us to suspect was the intended outcome.
Matt