Fun fact (you probably remember), you used to report phishing sites with one simple email and they would actually be taken down.
These days I get the feeling a lot of the registrars are essentially/effectively in on it (at least by inaction). A well-run ICANN feels needed, who can track takedown compliance.
Abuse handling is a mess. AFAIK, the registries, registrars, and ICANN all share responsibility in terms of mitigation. There’s no consistency.
The entire domain squatting/parking industry exists because filing an ICANN dispute costs more than paying the squatter. Absolutely insane.