I suspect a lot of the reason for them being at the top is simply volume. When you have that many users, no matter how fast you respond to compromised machines spewing spam, a certain amount is going to make it out.
The alternative of course is to block port 25 by default, but considering the amount of upset customers even small changes create, I would suspect blocking an entire port (which I'm certain a LOT of their customers use to send mail through webhosts, private mail servers, etc) would create an unacceptable volume of support calls and angry customers in general.
When SBC implemented port 25 blocking in my area, they spent about 2 weeks innundating their customers with emails and letters informing them of the changes, and how to be exempted from them if you needed direct access to port 25. Even so, I probably had 4 or 5 of my customers call me because they couldn't send email anymore after the change, due to the fact they were trying to send their email out through a mail server provided by their web host. A simple call fixed the problem, but it just goes to show how unlikely it is that people will pay attention and actually make necessary changes before something like that causes them a problem.