"A criminal bot-herder could probably have their bots working pretty hard to brainwash various caches, significantly increasing the scope of a poisoning attack. However, they would run into the same problem mentioned in scenario #2: They could easily DDoS their criminally-controlled sites out of existence."
All of the scenarios that are presented seem to assume that an attacker is trying to get access to some form of infrastructure; be it to trick users into thinking that they are using corporate servers, where in reality they are using an attacker's site, or a home user who is being phished for payment details.
The scenario described above make me wonder though; how hard would it be for large botnets to poison a huge amount of vulnerable web servers to redirect traffic away from the victim's site.
For example, how happy would Amazon or Ebay be when a botnet decided to poison all the resolvers it could find with random IP addresses for their sites, causing users to be unable to reach them? That could potentially be pretty bad.
Now that most major sites are hopefully patched, or soon will be, the potential to disrupt the Internet as a whole seems to be diminishing rapidly. Still; there are more than enough unpatched servers out there to cause some serious inconvenience.
And don't forget; port randomization makes the attack harder but not impossible.