Typically, the cost of bandwidth is figured into the machine when you buy a colo.
That's why, as 1U colo might only cost $40.00/month, but all you are buying is the space/power for the server itself.
Then, you either purchase burstable, incremental, or transfer priced bandwidth for the server.
Additionally, depending on your provider/purchase, you are the only one on the set bandwidth pipe. So, if another colo [depending on DC infrastructure] is getting DDoS'd, it usually won't afflict your network status.
Not to mention all of the control that you get over the hardware, configuration, etc.
JTY also makes a good point. If the colo is local, most DC's will give you access to the equipment so you can make on-site changes.
And the list goes on...