Root servers are hardened and decentralized(I think there were eight last time I looked). Nameservers are private property usually in the hands of solution providers who’s philosophy is “how much money can we save?”. Much like those belonging to some CAs who handle TLS and UEFI certificates.
I’ll admit I don’t know the entire spec of DNSSec though. I’d imagine it has some form of cryptography validation using signature distribution or it’d be pointless.