Given the large amount of sites, including popular sites, that do not have DNSSEC today, I'd expect that if this was a real risk we'd see a decent number of instances where it occurred.

And yet I see zero. Is it possible that given other mitigations (like multi-perspective validation) and given other attack vectors (like account takeover), this isn't actually a problem?