In other words: in the world we're in now, pre-CISPA, what's the specific legal risk you think is preventing Facebook from sharing data?
It's certainly not the ECPA! The ECPA, like I've pointed out repeatedly, specifically carves out an exception for service providers sharing information, and makes no mention of anonymizing that data (ironically, it's CISPA that brings anonymization into the picture).
You yourself make a not-invalid point, that ECPA doesn't prohibit sharing but also doesn't shield providers from claims under other laws. I agree that if CISPA is worth keeping, the language around immunity should be tightened --- oh wait, it just was in the latest draft! --- but again:
For CISPA's sharing immunity to be a meaningful threat, you'd have to cite some statute that could reasonably threaten (again, say) Facebook for sharing information during an investigation.
Finally, I know it's annoying that I keep saying this, but: providers already share information about attacks, and it's not all anonymized or particularly carefully targeted. I have firsthand knowledge of what they used to do a few years ago, and understand that sharing has only increased since then.