Also note that ASPA validation prevents only hijack by peers and customers, not by providers. Due to way how ASPA validation works, providers could always announce to their customers routes with valid-looking AS PATH with hijacked ASN appended at its end.
Trust infrastructures are always like this, it's one reason PGP's "Web of trust" doesn't work at scale.
If you trust Alice then it's not astonishing that Alice can stab you in the back. Most of us can probably manage to pick trustworthy direct friends. But then, what if we're to trust that Alice's friends won't betray us ? That's a lot stickier.
PGP tries to distinguish "Do you trust that Alice is who she says she is?" from "Do you trust that Alice is a good judge of character?" but the latter is largely unknowable and PGP treats it as recursive. You trust Alice, Alice trusted Bob, Bob trusted Caroline and now Caroline's friend Dave stabbed you in the back. How is this Alice's fault somehow?