>This is assuming that you could realistically automate the act of inviting and uninviting non-friends without any penalization. In fact, what would probably happen is a rate-limit trigger that would temporarily knock out access from your IP address. There are also account-level rate limits, not just IP-level.
I think you are underestimating the capabilities of botnets and what you can buy from them with a handful of dollars.
No, I fully understand that, which is why I said "probably." However, it would be a sophisticated botnet to challenge Facebook's rate limiter, and moreover, it would still have the problem of producing an excessive amount of noise when Facebook saw an influx of users and IP addresses continually inviting and uninviting other users.
I think you are underestimating the capabilities of botnets and what you can buy from them with a handful of dollars.