That sounds like its time to push standards forward, announce deprecations in advance, and have as many end services as possible adopt erroring if what they are receiving isn't standards compliant.
There is little actual reason for security middleware to not keep up.
Everything is working as intended though: we're talking about security middleware, not security middleware.
This stuff is built on the foundation of puffing out EnTeRpRiSe ScAlE egos with "look at all this vast complexity that I made, I am a god". It's not built on a technical foundation of always moving the needle forward just because you can and because it's cool and the right thing to do.
Sooo, all the $$$ get spent on dashboards and analytics screens and front panel designs and logos and stuff. The actual DNS bits? Probably /r/programminghorror material.
The point of deprecations is to eventually force a bad experience for those who are not keeping up. They definitely do work, but the time periods to affect change can be long. In the tech sphere many seem to interpret a long transition period as not working granted the usual pace of change.
That's different. There are ways in which ipv4 is subjectively better than ipv6, and "the catastrophe of needing more addresses" has not really panned out yet.
Resolver software is massively distributed, you don't force anything. The only place that can force anything from the top may be root servers, but even then, many resolver operators are probably just downloading root zone in bulk via https from somewhere to precache it and don't contact root servers at all.
There is little actual reason for security middleware to not keep up.