A hoster should protect there clients to a point, but when the DDOS comes into it, it can mess up alot of things, and someone just doesnt DDOS a website/server for nothing he/she must of done something to warrant the attack, and normally hosters dont want them type of people on there boxes.
If any of our clients is ddos'd the DC null routes them for us. They let us know so we can let the client know. If they do ask for a new IP we will give it to them and cancel the old one so they can at least get moving again. Generally (and YMMV) we give 3 strikes. 3rd time and we don't fire it back up unless it's a scheduled window for you to get your data off of it.
Unless you are specifically paying for DDOS protection most hosts will not absorb a large attack like that.
Absolutely right, while a big vendor like Hetzner can indeed deal with such an attack, you'll probably have to be on some plan that would provide some level of protection, and that alas is probably not free of charge.
There may come a day when hosting providers include true DDoS protection in their overall offering that may come close to a freebie, but imho it's early days for that, especially with cost of protection as costly as it is today.