The difficulty of punishing people at universities
One of the quiet little secrets of university computing is just how difficult it is to actually punish people for doing bad stuff with computing resources. Really bad stuff, things that are criminal or have serious civil liabilities, can be punished. But mere violations of policies or bad network behavior (including spamming) can run into a series of problems.
Tenured professors might as well be the left hand of God, of course, especially if they get grant money. But even students (grad and undergrad both) are heavily protected, because many universities have strict policies on imposing 'academic sanctions'; this almost always includes not just direct loss of marks but also anything that is necessary to pass the course. This makes removal of computer access an academic sanction in many cases, subject to the requirements and the elaborate procedures.
Staff are theoretically the least protected, except that removing someone's computing access often makes them unable to do their job, which is not popular (to say the least) with their management chain. This can result in the only real options being either a slap on the wrist or a firing, and firings are often a hard sell (and often require their own large set of procedures, time, and repeated incidents).
(To be fair, the staff issue is probably the same for companies.)
This isn't to say that stern computing policies and AUPs aren't useful; if nothing else they can be used to scare people. But for some time I've wondered what we'd be able to do if, for example, someone started spamming for a religion and showed no inclination to stop.
(The more likely scenario is probably an undergrad that likes poking things with sticks; there is certainly no shortage of places to irritate and troll on the Internet.)