Good and bad news on DNSSEC at TLDs

I tried to spot the number of Top Level Domains which have been running with DNSSEC.  The good news is that there are 64 TLDs which are DNSSEC-enabled.  However, there is also a bad news.  Some TLDs (e.g. "se.", "th." and "lk.") are not using NSEC3 algorithm which can results in all domain names being captured away by bad guys by just a single command.  By all means, because of the huge amount of domain name records in TLDs, they should be signed with NSEC3 for DNSSEC implmentations.  There is no other choice. My screen dump below :