IPs are not shared
without limit.
All IPs are allocated to CIDR blocks and Autonomous Systems, the latter identified by their Autonomous System Number (ASN). It's reasonably straightforward and tractable to track good/bad behaviour by either, and (thanks to the Law of Large Numbers and Power Laws), there's virtually always a very small number of absolutely horribly-misbehaved blocks from which a large fraction of abuse originates. Moreover, at sufficiently fine detail, it's possible to identify both friendly and hostile address spaces, permitting carve-outs for the former and scaled response against the latter.
The second part of this approach is that defences need not be all-or-nothing, universal, and/or unscaled. A netblock with a few bad actors might be subject to a slight performance penalty. A netblock with no non-hostile traffic could be blocked entirely (or tarpitted or otherwise subject to negative performance impacts). And of course, reputation data can be shared, as a broader view (one which, say, a large CDN or monitoring service might have) is going to provide both earlier warning and greater detail of where hostile activity originates. And individual instances of good behaviour could be excepted from broader blocks.
Ultimately, connectivity providers, whether of data centres or residential / organisational / mobile Internet services, should be encouraged to police their own outbound traffic and take actions themselves in the event of identified abusive behaviour. (That's been a long-standing dream of mine, it's ... stubbornly refused realisation.)