I am sure that you are smart enough not to enable VerifyHostKeyDNS option in ssh for any machine that uses an untrusted DNS resolver. But surely you understand why the option is disabled by default, right?
Until we get to the point where people get a secure DNS resolver installed by default, it doesn't make sense for application developers to trust the DNS response by default. Relying on a pre-shared public key gives the application much better assurance (even if this assurance is weaker than what they'd get from a properly verified DNSSEC response).
Perhaps if an operating system installed a DNS resolver that performed the necessary checks by default, it would make sense for applications to trust the response flags. But until that point, applications are better off using some other trust mechanism.