One hold up was that DNSSEC as originally conceived didn't offer privacy, because at that time DNS privacy was regarded as an esoteric thing to desire. If you're willing to admit that gazimble.example.com resolves to 10.1.2.3, why would you care that it's possible for someone to find that out without the advance knowledge of the existence of the name 'gazimble.example.com' ?
But by the time it was first considered good enough to be worth actually implementing things had changed - privacy was the default in many "public" registries as well as most private organisations. DNSSEC was unacceptable in its current form to those entities because it would mean giving up something they were used to having, and in some cases which they had guaranteed to others.
So, back to the drawing board to come up with a way for a DNSSEC server to assert that the name you've asked for isn't known, without having to
pre-cache a denial for every conceivable unknown name
do the calculation to sign such an answer each time (trivial DOS)
lose the ability to securely deny the existence of a name
Of course you could argue that this shouldn't have held things up for the root - nobody expects TLDs to have privacy, this was only ever a concern for subdomains. But it was felt that if nobody else was going to deploy there was certainly no reason to _begin_ with the root where problems would be most costly.