I understand that if someone works in security, their budgetary aspirations will bias them towards scaring the bejesus out of people, but Arbor Networks' ASERT posting on cisco's crafted IP attack goes beyond stupid.
"I know that people in ISP operations groups are sweating this,"
Hello??? What major ISP uses cisco across the board anymore? Being multi-homed makes as much sense for purchasing transit (or peering), as it does for purchasing hardware. On top of that, ISP management knows that ISP engineers have previously had to ACL ciscos before to handle 0-day cisco attacks. It pays to have a multi-vendor architecture (unless you are configuring routers by hand).
Besides, no matter how much hair you pull out, ciscos or junipers or whatever will always have security issues.
Given this omnipresent uncertainty, ISP ops are *always* either: