A blacklist seems like a pretty effective strategy and allows them to deal with offenders simply. I'd imagine you're not advocating for them to add proprietary extensions to P3P. What would you suggest they do otherwise, out of curiosity?
The problem is, blacklists need to be maintained, create a single point of failure (in terms of both access and trust), and rapidly grow out of control. See virus scanners, spam filtering, CRL checking for SSL, MSIE Phishing Filter, etc. all of which work either sporadically or at the unrelenting expense and pain of some central party.
I think MS probably needs to acknowledge that P3P is broken, and change the default so it doesn't affect third party cookie acceptance. Administrators for Windows environments that think otherwise can override the default by deploying a group policy.
