Well it costs practically nothing to dispatch emails by the millions so you really only have to catch enough fish to cover electricity. You don't even have to pay that if you happen to have taken over someone's shitty webserver. Then they're paying for it. So that's the main reason it works. Botnets quietly scour the internet for insecure webservers and use them to pump out millions of spam emails until a mail admin notices the pattern. Then he sends a nastygram to the web server admin, who hopefully fixes it, or else to the host/datacenter, who shuts the thing down. But in the time it takes to do that, the botnet has already found a thousand other shitty webservers to do the same with. Endless whack-a-mole.