Requiring NIP-05 could be really effective, right? If a domain spams, we can block the entire domain... but they could buy hundreds of trash domains, no? would cost/effort be prohibitive to do this at scale?
So far none of the spammers have used valid NIP-05s. So, it has been very effective. They'd have to cycle through quite a lot of domains to evade from a relay operator who regularly builds the blocklist. And as you point out that might not be worth it financially. But as is the case with spam, malware, ransomware, etc... It'll always be a cat and mouse, whack-a-mole effort. At least, for now, we're winning.