DNSSEC is just replacing one set of roots (the CAs) with another (the root servers).

At least with CAs you can (theoretically) remove trust from a subset of them and things (mostly) keep working.