This is how it SHOULD be... not the most profitable, but the most sense for 90% of the users.
If you reach the CAP, they suspend the service. Then you phone them, they tell you why, and THEN they re-activate it after explaining it to you. (Quite easy... They have no problem doing it if you miss a payment, that is for sure, it's quite EASY for them then!) And charge a re-activation fee too i'm sure.
I had a SPRINT USA AirCard in Canada(Unlim in USA / 300MB in Canada)... as soon as it hit 300MB it wouldn't even connect anymore, came up with an ERROR.
Why not just limit the bandwidth when the cap is reached? This is how it is done in Australia and it keeps almost everyone happy. The Badnwidth limits were originally 64Kb/s until the next billing cycle. They are now better at 128Kb/s or 256Kb/s depending on the plan. The GB/month plans are reasonable(in my opinion) and they do have unmetered sites for VOD and other content.
Also, for this story, in Australia it is also illegal for a Company to profit from a crime. If the Router was hacked(and it had reasonable security) then the ISP can only charge their actual costs(at most) they cannot charge Retail rates(Profit from a crime).