Why #dnssec is so unpopular among large orgs? As someone who works for large orgs I have seen a number of excuses, none of them really valid.

First, large orgs are traditionally risk averse and since they routinely screw up on simple "mandatory" things like TLS cert renewals so any mention of "DNS outage due to expired key" makes them freak out and reject any proposals of "optional" controls that could go wrong.